Vulnerability Analysis Results

Sample 8927: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_12.c

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_12.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-12.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: memmove
12 * BadSink : Copy int array to data using memmove
13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_12_bad()
22{
23 int * data;
24 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));
25 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));
26 if(globalReturnsTrueOrFalse())
27 {
28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
29 * buffer in various memory copying functions using a "large" source buffer. */
30 data = dataBadBuffer;
31 }
32 else
33 {
34 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
35 data = dataGoodBuffer;
36 }
37 {
38 int source[100] = {0}; /* fill with 0's */
39 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
40 memmove(data, source, 100*sizeof(int));❗VULN
41 printIntLine(data[0]);
42 }
43}
44
45#endif /* OMITBAD */
46
47#ifndef OMITGOOD
48
49/* goodG2B() - use goodsource and badsink by changing the "if" so that
50 * both branches use the GoodSource */
51static void goodG2B()
52{
53 int * data;
54 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));
55 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));
56 if(globalReturnsTrueOrFalse())
57 {
58 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
59 data = dataGoodBuffer;
60 }
61 else
62 {
63 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
64 data = dataGoodBuffer;
65 }
66 {
67 int source[100] = {0}; /* fill with 0's */
68 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
69 memmove(data, source, 100*sizeof(int));
70 printIntLine(data[0]);
71 }
72}
73
74void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_12_good()
75{
76 goodG2B();
77}
78
79#endif /* OMITGOOD */
80
81/* Below is the main(). It is only used when building this testcase on
82 * its own for testing or for building a binary to use in testing binary
83 * analysis tools. It is not used when compiling all the testcases as one
84 * application, which is how source code analysis tools are tested.
85 */
86
87#ifdef INCLUDEMAIN
88
89int main(int argc, char * argv[])
90{
91 /* seed randomness */
92 srand( (unsigned)time(NULL) );
93#ifndef OMITGOOD
94 printLine("Calling good()...");
95 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_12_good();
96 printLine("Finished good()");
97#endif /* OMITGOOD */
98#ifndef OMITBAD
99 printLine("Calling bad()...");
100 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_12_bad();
101 printLine("Finished bad()");
102#endif /* OMITBAD */
103 return 0;
104}
105
106#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1154: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129_rand_15.cpp

Nodes: 29 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129_rand_15.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129.label.xml
4Template File: sources-sinks-15.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: rand Set data to result of rand(), which may be zero
10 * GoodSource: Larger than zero but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the upper bound
14 * Flow Variant: 15 Control flow: switch(6) and switch(7)
15 * */
16
17#include "std_testcase.h"
18
19namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129_rand_15
20{
21
22#ifndef OMITBAD
23
24void bad()
25{
26 int data;
27 /* Initialize data */
28 data = -1;
29 switch(6)
30 {
31 case 6:
32 /* POTENTIAL FLAW: Set data to a random value */
33 data = RAND32();
34 break;
35 default:
36 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
37 printLine("Benign, fixed string");
38 break;
39 }
40 switch(7)
41 {
42 case 7:
43 {
44 int i;
45 int * buffer = new int[10];
46 /* initialize buffer */
47 for (i = 0; i < 10; i++)
48 {
49 buffer[i] = 0;
50 }
51 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
52 * This code does check to see if the array index is negative */
53 if (data >= 0)
54 {
55 buffer[data] = 1;❗VULN
56 /* Print the array values */
57 for(i = 0; i < 10; i++)
58 {
59 printIntLine(buffer[i]);
60 }
61 }
62 else
63 {
64 printLine("ERROR: Array index is negative.");
65 }
66 delete[] buffer;
67 }
68 break;
69 default:
70 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
71 printLine("Benign, fixed string");
72 break;
73 }
74}
75
76#endif /* OMITBAD */
77
78#ifndef OMITGOOD
79
80/* goodB2G1() - use badsource and goodsink by changing the second switch to switch(8) */
81static void goodB2G1()
82{
83 int data;
84 /* Initialize data */
85 data = -1;
86 switch(6)
87 {
88 case 6:
89 /* POTENTIAL FLAW: Set data to a random value */
90 data = RAND32();
91 break;
92 default:
93 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
94 printLine("Benign, fixed string");
95 break;
96 }
97 switch(8)
98 {
99 case 7:
100 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
101 printLine("Benign, fixed string");
102 break;
103 default:
104 {
105 int i;
106 int * buffer = new int[10];
107 /* initialize buffer */
108 for (i = 0; i < 10; i++)
109 {
110 buffer[i] = 0;
111 }
112 /* FIX: Properly validate the array index and prevent a buffer overflow */
113 if (data >= 0 && data < (10))
114 {
115 buffer[data] = 1;
116 /* Print the array values */
117 for(i = 0; i < 10; i++)
118 {
119 printIntLine(buffer[i]);
120 }
121 }
122 else
123 {
124 printLine("ERROR: Array index is out-of-bounds");
125 }
126 delete[] buffer;
127 }
128 break;
129 }
130}
131
132/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second switch */
133static void goodB2G2()
134{
135 int data;
136 /* Initialize data */
137 data = -1;
138 switch(6)
139 {
140 case 6:
141 /* POTENTIAL FLAW: Set data to a random value */
142 data = RAND32();
143 break;
144 default:
145 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
146 printLine("Benign, fixed string");
147 break;
148 }
149 switch(7)
150 {
151 case 7:
152 {
153 int i;
154 int * buffer = new int[10];
155 /* initialize buffer */
156 for (i = 0; i < 10; i++)
157 {
158 buffer[i] = 0;
159 }
160 /* FIX: Properly validate the array index and prevent a buffer overflow */
161 if (data >= 0 && data < (10))
162 {
163 buffer[data] = 1;
164 /* Print the array values */
165 for(i = 0; i < 10; i++)
166 {
167 printIntLine(buffer[i]);
168 }
169 }
170 else
171 {
172 printLine("ERROR: Array index is out-of-bounds");
173 }
174 delete[] buffer;
175 }
176 break;
177 default:
178 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
179 printLine("Benign, fixed string");
180 break;
181 }
182}
183
184/* goodG2B1() - use goodsource and badsink by changing the first switch to switch(5) */
185static void goodG2B1()
186{
187 int data;
188 /* Initialize data */
189 data = -1;
190 switch(5)
191 {
192 case 6:
193 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
194 printLine("Benign, fixed string");
195 break;
196 default:
197 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
198 * access an index of the array in the sink that is out-of-bounds */
199 data = 7;
200 break;
201 }
202 switch(7)
203 {
204 case 7:
205 {
206 int i;
207 int * buffer = new int[10];
208 /* initialize buffer */
209 for (i = 0; i < 10; i++)
210 {
211 buffer[i] = 0;
212 }
213 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
214 * This code does check to see if the array index is negative */
215 if (data >= 0)
216 {
217 buffer[data] = 1;
218 /* Print the array values */
219 for(i = 0; i < 10; i++)
220 {
221 printIntLine(buffer[i]);
222 }
223 }
224 else
225 {
226 printLine("ERROR: Array index is negative.");
227 }
228 delete[] buffer;
229 }
230 break;
231 default:
232 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
233 printLine("Benign, fixed string");
234 break;
235 }
236}
237
238/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first switch */
239static void goodG2B2()
240{
241 int data;
242 /* Initialize data */
243 data = -1;
244 switch(6)
245 {
246 case 6:
247 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
248 * access an index of the array in the sink that is out-of-bounds */
249 data = 7;
250 break;
251 default:
252 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
253 printLine("Benign, fixed string");
254 break;
255 }
256 switch(7)
257 {
258 case 7:
259 {
260 int i;
261 int * buffer = new int[10];
262 /* initialize buffer */
263 for (i = 0; i < 10; i++)
264 {
265 buffer[i] = 0;
266 }
267 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
268 * This code does check to see if the array index is negative */
269 if (data >= 0)
270 {
271 buffer[data] = 1;
272 /* Print the array values */
273 for(i = 0; i < 10; i++)
274 {
275 printIntLine(buffer[i]);
276 }
277 }
278 else
279 {
280 printLine("ERROR: Array index is negative.");
281 }
282 delete[] buffer;
283 }
284 break;
285 default:
286 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
287 printLine("Benign, fixed string");
288 break;
289 }
290}
291
292void good()
293{
294 goodB2G1();
295 goodB2G2();
296 goodG2B1();
297 goodG2B2();
298}
299
300#endif /* OMITGOOD */
301
302} /* close namespace */
303
304/* Below is the main(). It is only used when building this testcase on
305 its own for testing or for building a binary to use in testing binary
306 analysis tools. It is not used when compiling all the testcases as one
307 application, which is how source code analysis tools are tested. */
308
309#ifdef INCLUDEMAIN
310
311using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129_rand_15; /* so that we can use good and bad easily */
312
313int main(int argc, char * argv[])
314{
315 /* seed randomness */
316 srand( (unsigned)time(NULL) );
317#ifndef OMITGOOD
318 printLine("Calling good()...");
319 good();
320 printLine("Finished good()");
321#endif /* OMITGOOD */
322#ifndef OMITBAD
323 printLine("Calling bad()...");
324 bad();
325 printLine("Finished bad()");
326#endif /* OMITBAD */
327 return 0;
328}
329
330#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5998: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncpy_07.cpp

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncpy_07.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml
4Template File: sources-sink-07.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: ncpy
12 * BadSink : Copy string to data using wcsncpy
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is not declared "const", but is never assigned
22 any other value so a tool should be able to identify that reads of
23 this will always give its initialized value. */
24static int staticFive = 5;
25
26namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncpy_07
27{
28
29#ifndef OMITBAD
30
31void bad()
32{
33 wchar_t * data;
34 data = NULL;
35 if(staticFive==5)
36 {
37 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
38 data = new wchar_t[50];
39 data[0] = L'\0'; /* null terminate */
40 }
41 {
42 wchar_t source[100];
43 wmemset(source, L'C', 100-1); /* fill with L'C's */
44 source[100-1] = L'\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
46 wcsncpy(data, source, 100-1);❗VULN
47 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
48 printWLine(data);
49 delete [] data;
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
58static void goodG2B1()
59{
60 wchar_t * data;
61 data = NULL;
62 if(staticFive!=5)
63 {
64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
65 printLine("Benign, fixed string");
66 }
67 else
68 {
69 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
70 data = new wchar_t[100];
71 data[0] = L'\0'; /* null terminate */
72 }
73 {
74 wchar_t source[100];
75 wmemset(source, L'C', 100-1); /* fill with L'C's */
76 source[100-1] = L'\0'; /* null terminate */
77 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
78 wcsncpy(data, source, 100-1);
79 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
80 printWLine(data);
81 delete [] data;
82 }
83}
84
85/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
86static void goodG2B2()
87{
88 wchar_t * data;
89 data = NULL;
90 if(staticFive==5)
91 {
92 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
93 data = new wchar_t[100];
94 data[0] = L'\0'; /* null terminate */
95 }
96 {
97 wchar_t source[100];
98 wmemset(source, L'C', 100-1); /* fill with L'C's */
99 source[100-1] = L'\0'; /* null terminate */
100 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
101 wcsncpy(data, source, 100-1);
102 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
103 printWLine(data);
104 delete [] data;
105 }
106}
107
108void good()
109{
110 goodG2B1();
111 goodG2B2();
112}
113
114#endif /* OMITGOOD */
115
116} /* close namespace */
117
118/* Below is the main(). It is only used when building this testcase on
119 its own for testing or for building a binary to use in testing binary
120 analysis tools. It is not used when compiling all the testcases as one
121 application, which is how source code analysis tools are tested. */
122
123#ifdef INCLUDEMAIN
124
125using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncpy_07; /* so that we can use good and bad easily */
126
127int main(int argc, char * argv[])
128{
129 /* seed randomness */
130 srand( (unsigned)time(NULL) );
131#ifndef OMITGOOD
132 printLine("Calling good()...");
133 good();
134 printLine("Finished good()");
135#endif /* OMITGOOD */
136#ifndef OMITBAD
137 printLine("Calling bad()...");
138 bad();
139 printLine("Finished bad()");
140#endif /* OMITBAD */
141 return 0;
142}
143
144#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5275: CWE122_Heap_Based_Buffer_Overflow__cpp_src_char_cpy_07.cpp

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_src_char_cpy_07.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_src.label.xml
4Template File: sources-sink-07.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: cpy
12 * BadSink : Copy data to string using strcpy
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is not declared "const", but is never assigned
22 any other value so a tool should be able to identify that reads of
23 this will always give its initialized value. */
24static int staticFive = 5;
25
26namespace CWE122_Heap_Based_Buffer_Overflow__cpp_src_char_cpy_07
27{
28
29#ifndef OMITBAD
30
31void bad()
32{
33 char * data;
34 data = new char[100];
35 if(staticFive==5)
36 {
37 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
38 memset(data, 'A', 100-1); /* fill with 'A's */
39 data[100-1] = '\0'; /* null terminate */
40 }
41 {
42 char dest[50] = "";
43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
44 strcpy(dest, data);❗VULN
45 printLine(data);
46 delete [] data;
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
55static void goodG2B1()
56{
57 char * data;
58 data = new char[100];
59 if(staticFive!=5)
60 {
61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
62 printLine("Benign, fixed string");
63 }
64 else
65 {
66 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
67 memset(data, 'A', 50-1); /* fill with 'A's */
68 data[50-1] = '\0'; /* null terminate */
69 }
70 {
71 char dest[50] = "";
72 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
73 strcpy(dest, data);
74 printLine(data);
75 delete [] data;
76 }
77}
78
79/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
80static void goodG2B2()
81{
82 char * data;
83 data = new char[100];
84 if(staticFive==5)
85 {
86 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
87 memset(data, 'A', 50-1); /* fill with 'A's */
88 data[50-1] = '\0'; /* null terminate */
89 }
90 {
91 char dest[50] = "";
92 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
93 strcpy(dest, data);
94 printLine(data);
95 delete [] data;
96 }
97}
98
99void good()
100{
101 goodG2B1();
102 goodG2B2();
103}
104
105#endif /* OMITGOOD */
106
107} /* close namespace */
108
109/* Below is the main(). It is only used when building this testcase on
110 its own for testing or for building a binary to use in testing binary
111 analysis tools. It is not used when compiling all the testcases as one
112 application, which is how source code analysis tools are tested. */
113
114#ifdef INCLUDEMAIN
115
116using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_src_char_cpy_07; /* so that we can use good and bad easily */
117
118int main(int argc, char * argv[])
119{
120 /* seed randomness */
121 srand( (unsigned)time(NULL) );
122#ifndef OMITGOOD
123 printLine("Calling good()...");
124 good();
125 printLine("Finished good()");
126#endif /* OMITGOOD */
127#ifndef OMITBAD
128 printLine("Calling bad()...");
129 bad();
130 printLine("Finished bad()");
131#endif /* OMITBAD */
132 return 0;
133}
134
135#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9089: CWE127_Buffer_Underread__char_declare_loop_10.c

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__char_declare_loop_10.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-10.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__char_declare_loop_10_bad()
24{
25 char * data;
26 char dataBuffer[100];
27 memset(dataBuffer, 'A', 100-1);
28 dataBuffer[100-1] = '\0';
29 if(globalTrue)
30 {
31 /* FLAW: Set data pointer to before the allocated memory buffer */
32 data = dataBuffer - 8;
33 }
34 {
35 size_t i;
36 char dest[100];
37 memset(dest, 'C', 100-1); /* fill with 'C's */
38 dest[100-1] = '\0'; /* null terminate */
39 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
40 for (i = 0; i < 100; i++)
41 {
42 dest[i] = data[i];❗VULN
43 }
44 /* Ensure null termination */
45 dest[100-1] = '\0';
46 printLine(dest);
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */
55static void goodG2B1()
56{
57 char * data;
58 char dataBuffer[100];
59 memset(dataBuffer, 'A', 100-1);
60 dataBuffer[100-1] = '\0';
61 if(globalFalse)
62 {
63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
64 printLine("Benign, fixed string");
65 }
66 else
67 {
68 /* FIX: Set data pointer to the allocated memory buffer */
69 data = dataBuffer;
70 }
71 {
72 size_t i;
73 char dest[100];
74 memset(dest, 'C', 100-1); /* fill with 'C's */
75 dest[100-1] = '\0'; /* null terminate */
76 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
77 for (i = 0; i < 100; i++)
78 {
79 dest[i] = data[i];
80 }
81 /* Ensure null termination */
82 dest[100-1] = '\0';
83 printLine(dest);
84 }
85}
86
87/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
88static void goodG2B2()
89{
90 char * data;
91 char dataBuffer[100];
92 memset(dataBuffer, 'A', 100-1);
93 dataBuffer[100-1] = '\0';
94 if(globalTrue)
95 {
96 /* FIX: Set data pointer to the allocated memory buffer */
97 data = dataBuffer;
98 }
99 {
100 size_t i;
101 char dest[100];
102 memset(dest, 'C', 100-1); /* fill with 'C's */
103 dest[100-1] = '\0'; /* null terminate */
104 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
105 for (i = 0; i < 100; i++)
106 {
107 dest[i] = data[i];
108 }
109 /* Ensure null termination */
110 dest[100-1] = '\0';
111 printLine(dest);
112 }
113}
114
115void CWE127_Buffer_Underread__char_declare_loop_10_good()
116{
117 goodG2B1();
118 goodG2B2();
119}
120
121#endif /* OMITGOOD */
122
123/* Below is the main(). It is only used when building this testcase on
124 * its own for testing or for building a binary to use in testing binary
125 * analysis tools. It is not used when compiling all the testcases as one
126 * application, which is how source code analysis tools are tested.
127 */
128
129#ifdef INCLUDEMAIN
130
131int main(int argc, char * argv[])
132{
133 /* seed randomness */
134 srand( (unsigned)time(NULL) );
135#ifndef OMITGOOD
136 printLine("Calling good()...");
137 CWE127_Buffer_Underread__char_declare_loop_10_good();
138 printLine("Finished good()");
139#endif /* OMITGOOD */
140#ifndef OMITBAD
141 printLine("Calling bad()...");
142 CWE127_Buffer_Underread__char_declare_loop_10_bad();
143 printLine("Finished bad()");
144#endif /* OMITBAD */
145 return 0;
146}
147
148#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8086: CWE127_Buffer_Underread__malloc_char_cpy_12.c

Nodes: 20 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_char_cpy_12.c
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-12.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: cpy
12 * BadSink : Copy data to string using strcpy
13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__malloc_char_cpy_12_bad()
24{
25 char * data;
26 data = NULL;
27 if(globalReturnsTrueOrFalse())
28 {
29 {
30 char * dataBuffer = (char *)malloc(100*sizeof(char));
31 if (dataBuffer == NULL) {exit(-1);}
32 memset(dataBuffer, 'A', 100-1);
33 dataBuffer[100-1] = '\0';
34 /* FLAW: Set data pointer to before the allocated memory buffer */
35 data = dataBuffer - 8;
36 }
37 }
38 else
39 {
40 {
41 char * dataBuffer = (char *)malloc(100*sizeof(char));
42 if (dataBuffer == NULL) {exit(-1);}
43 memset(dataBuffer, 'A', 100-1);
44 dataBuffer[100-1] = '\0';
45 /* FIX: Set data pointer to the allocated memory buffer */
46 data = dataBuffer;
47 }
48 }
49 {
50 char dest[100*2];
51 memset(dest, 'C', 100*2-1); /* fill with 'C's */
52 dest[100*2-1] = '\0'; /* null terminate */
53 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
54 strcpy(dest, data);❗VULN
55 printLine(dest);
56 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
57 * returned by malloc() so can't safely call free() on it */
58 }
59}
60
61#endif /* OMITBAD */
62
63#ifndef OMITGOOD
64
65/* goodG2B() - use goodsource and badsink by changing the "if" so that
66 * both branches use the GoodSource */
67static void goodG2B()
68{
69 char * data;
70 data = NULL;
71 if(globalReturnsTrueOrFalse())
72 {
73 {
74 char * dataBuffer = (char *)malloc(100*sizeof(char));
75 if (dataBuffer == NULL) {exit(-1);}
76 memset(dataBuffer, 'A', 100-1);
77 dataBuffer[100-1] = '\0';
78 /* FIX: Set data pointer to the allocated memory buffer */
79 data = dataBuffer;
80 }
81 }
82 else
83 {
84 {
85 char * dataBuffer = (char *)malloc(100*sizeof(char));
86 if (dataBuffer == NULL) {exit(-1);}
87 memset(dataBuffer, 'A', 100-1);
88 dataBuffer[100-1] = '\0';
89 /* FIX: Set data pointer to the allocated memory buffer */
90 data = dataBuffer;
91 }
92 }
93 {
94 char dest[100*2];
95 memset(dest, 'C', 100*2-1); /* fill with 'C's */
96 dest[100*2-1] = '\0'; /* null terminate */
97 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
98 strcpy(dest, data);
99 printLine(dest);
100 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
101 * returned by malloc() so can't safely call free() on it */
102 }
103}
104
105void CWE127_Buffer_Underread__malloc_char_cpy_12_good()
106{
107 goodG2B();
108}
109
110#endif /* OMITGOOD */
111
112/* Below is the main(). It is only used when building this testcase on
113 * its own for testing or for building a binary to use in testing binary
114 * analysis tools. It is not used when compiling all the testcases as one
115 * application, which is how source code analysis tools are tested.
116 */
117
118#ifdef INCLUDEMAIN
119
120int main(int argc, char * argv[])
121{
122 /* seed randomness */
123 srand( (unsigned)time(NULL) );
124#ifndef OMITGOOD
125 printLine("Calling good()...");
126 CWE127_Buffer_Underread__malloc_char_cpy_12_good();
127 printLine("Finished good()");
128#endif /* OMITGOOD */
129#ifndef OMITBAD
130 printLine("Calling bad()...");
131 CWE127_Buffer_Underread__malloc_char_cpy_12_bad();
132 printLine("Finished bad()");
133#endif /* OMITBAD */
134 return 0;
135}
136
137#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2622: CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_14.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_14.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE131.label.xml
4Template File: sources-sink-14.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory without using sizeof(int)
10 * GoodSource: Allocate memory using sizeof(int)
11 * Sink: loop
12 * BadSink : Copy array to data using a loop
13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_14_bad()
22{
23 int * data;
24 data = NULL;
25 if(globalFive==5)
26 {
27 /* FLAW: Allocate memory without using sizeof(int) */
28 data = (int *)malloc(10);
29 if (data == NULL) {exit(-1);}
30 }
31 {
32 int source[10] = {0};
33 size_t i;
34 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
35 for (i = 0; i < 10; i++)
36 {
37 data[i] = source[i];❗VULN
38 }
39 printIntLine(data[0]);
40 free(data);
41 }
42}
43
44#endif /* OMITBAD */
45
46#ifndef OMITGOOD
47
48/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */
49static void goodG2B1()
50{
51 int * data;
52 data = NULL;
53 if(globalFive!=5)
54 {
55 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
56 printLine("Benign, fixed string");
57 }
58 else
59 {
60 /* FIX: Allocate memory using sizeof(int) */
61 data = (int *)malloc(10*sizeof(int));
62 if (data == NULL) {exit(-1);}
63 }
64 {
65 int source[10] = {0};
66 size_t i;
67 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
68 for (i = 0; i < 10; i++)
69 {
70 data[i] = source[i];
71 }
72 printIntLine(data[0]);
73 free(data);
74 }
75}
76
77/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
78static void goodG2B2()
79{
80 int * data;
81 data = NULL;
82 if(globalFive==5)
83 {
84 /* FIX: Allocate memory using sizeof(int) */
85 data = (int *)malloc(10*sizeof(int));
86 if (data == NULL) {exit(-1);}
87 }
88 {
89 int source[10] = {0};
90 size_t i;
91 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
92 for (i = 0; i < 10; i++)
93 {
94 data[i] = source[i];
95 }
96 printIntLine(data[0]);
97 free(data);
98 }
99}
100
101void CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_14_good()
102{
103 goodG2B1();
104 goodG2B2();
105}
106
107#endif /* OMITGOOD */
108
109/* Below is the main(). It is only used when building this testcase on
110 * its own for testing or for building a binary to use in testing binary
111 * analysis tools. It is not used when compiling all the testcases as one
112 * application, which is how source code analysis tools are tested.
113 */
114
115#ifdef INCLUDEMAIN
116
117int main(int argc, char * argv[])
118{
119 /* seed randomness */
120 srand( (unsigned)time(NULL) );
121#ifndef OMITGOOD
122 printLine("Calling good()...");
123 CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_14_good();
124 printLine("Finished good()");
125#endif /* OMITGOOD */
126#ifndef OMITBAD
127 printLine("Calling bad()...");
128 CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_14_bad();
129 printLine("Finished bad()");
130#endif /* OMITBAD */
131 return 0;
132}
133
134#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 50: CWE122_Heap_Based_Buffer_Overflow__cpp_src_char_cpy_13.cpp

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_src_char_cpy_13.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_src.label.xml
4Template File: sources-sink-13.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: cpy
12 * BadSink : Copy data to string using strcpy
13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_src_char_cpy_13
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 char * data;
29 data = new char[100];
30 if(GLOBAL_CONST_FIVE==5)
31 {
32 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
33 memset(data, 'A', 100-1); /* fill with 'A's */
34 data[100-1] = '\0'; /* null terminate */
35 }
36 {
37 char dest[50] = "";
38 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
39 strcpy(dest, data);❗VULN
40 printLine(data);
41 delete [] data;
42 }
43}
44
45#endif /* OMITBAD */
46
47#ifndef OMITGOOD
48
49/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */
50static void goodG2B1()
51{
52 char * data;
53 data = new char[100];
54 if(GLOBAL_CONST_FIVE!=5)
55 {
56 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
57 printLine("Benign, fixed string");
58 }
59 else
60 {
61 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
62 memset(data, 'A', 50-1); /* fill with 'A's */
63 data[50-1] = '\0'; /* null terminate */
64 }
65 {
66 char dest[50] = "";
67 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
68 strcpy(dest, data);
69 printLine(data);
70 delete [] data;
71 }
72}
73
74/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
75static void goodG2B2()
76{
77 char * data;
78 data = new char[100];
79 if(GLOBAL_CONST_FIVE==5)
80 {
81 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
82 memset(data, 'A', 50-1); /* fill with 'A's */
83 data[50-1] = '\0'; /* null terminate */
84 }
85 {
86 char dest[50] = "";
87 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
88 strcpy(dest, data);
89 printLine(data);
90 delete [] data;
91 }
92}
93
94void good()
95{
96 goodG2B1();
97 goodG2B2();
98}
99
100#endif /* OMITGOOD */
101
102} /* close namespace */
103
104/* Below is the main(). It is only used when building this testcase on
105 its own for testing or for building a binary to use in testing binary
106 analysis tools. It is not used when compiling all the testcases as one
107 application, which is how source code analysis tools are tested. */
108
109#ifdef INCLUDEMAIN
110
111using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_src_char_cpy_13; /* so that we can use good and bad easily */
112
113int main(int argc, char * argv[])
114{
115 /* seed randomness */
116 srand( (unsigned)time(NULL) );
117#ifndef OMITGOOD
118 printLine("Calling good()...");
119 good();
120 printLine("Finished good()");
121#endif /* OMITGOOD */
122#ifndef OMITBAD
123 printLine("Calling bad()...");
124 bad();
125 printLine("Finished bad()");
126#endif /* OMITBAD */
127 return 0;
128}
129
130#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7902: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_12.c

Nodes: 18 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_12.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-12.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: loop
12 * BadSink : Copy string to data using a loop
13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_12_bad()
24{
25 char * data;
26 char dataBadBuffer[50];
27 char dataGoodBuffer[100];
28 if(globalReturnsTrueOrFalse())
29 {
30 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
31 * buffer in various memory copying functions using a "large" source buffer. */
32 data = dataBadBuffer;
33 data[0] = '\0'; /* null terminate */
34 }
35 else
36 {
37 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
38 data = dataGoodBuffer;
39 data[0] = '\0'; /* null terminate */
40 }
41 {
42 size_t i;
43 char source[100];
44 memset(source, 'C', 100-1); /* fill with 'C's */
45 source[100-1] = '\0'; /* null terminate */
46 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
47 for (i = 0; i < 100; i++)
48 {
49 data[i] = source[i];❗VULN
50 }
51 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
52 printLine(data);
53 }
54}
55
56#endif /* OMITBAD */
57
58#ifndef OMITGOOD
59
60/* goodG2B() - use goodsource and badsink by changing the "if" so that
61 * both branches use the GoodSource */
62static void goodG2B()
63{
64 char * data;
65 char dataBadBuffer[50];
66 char dataGoodBuffer[100];
67 if(globalReturnsTrueOrFalse())
68 {
69 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
70 data = dataGoodBuffer;
71 data[0] = '\0'; /* null terminate */
72 }
73 else
74 {
75 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
76 data = dataGoodBuffer;
77 data[0] = '\0'; /* null terminate */
78 }
79 {
80 size_t i;
81 char source[100];
82 memset(source, 'C', 100-1); /* fill with 'C's */
83 source[100-1] = '\0'; /* null terminate */
84 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
85 for (i = 0; i < 100; i++)
86 {
87 data[i] = source[i];
88 }
89 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
90 printLine(data);
91 }
92}
93
94void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_12_good()
95{
96 goodG2B();
97}
98
99#endif /* OMITGOOD */
100
101/* Below is the main(). It is only used when building this testcase on
102 * its own for testing or for building a binary to use in testing binary
103 * analysis tools. It is not used when compiling all the testcases as one
104 * application, which is how source code analysis tools are tested.
105 */
106
107#ifdef INCLUDEMAIN
108
109int main(int argc, char * argv[])
110{
111 /* seed randomness */
112 srand( (unsigned)time(NULL) );
113#ifndef OMITGOOD
114 printLine("Calling good()...");
115 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_12_good();
116 printLine("Finished good()");
117#endif /* OMITGOOD */
118#ifndef OMITBAD
119 printLine("Calling bad()...");
120 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_12_bad();
121 printLine("Finished bad()");
122#endif /* OMITBAD */
123 return 0;
124}
125
126#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2507: CWE127_Buffer_Underread__wchar_t_declare_memmove_13.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__wchar_t_declare_memmove_13.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-13.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__wchar_t_declare_memmove_13_bad()
24{
25 wchar_t * data;
26 wchar_t dataBuffer[100];
27 wmemset(dataBuffer, L'A', 100-1);
28 dataBuffer[100-1] = L'\0';
29 if(GLOBAL_CONST_FIVE==5)
30 {
31 /* FLAW: Set data pointer to before the allocated memory buffer */
32 data = dataBuffer - 8;
33 }
34 {
35 wchar_t dest[100];
36 wmemset(dest, L'C', 100-1); /* fill with 'C's */
37 dest[100-1] = L'\0'; /* null terminate */
38 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
39 memmove(dest, data, 100*sizeof(wchar_t));❗VULN
40 /* Ensure null termination */
41 dest[100-1] = L'\0';
42 printWLine(dest);
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */
51static void goodG2B1()
52{
53 wchar_t * data;
54 wchar_t dataBuffer[100];
55 wmemset(dataBuffer, L'A', 100-1);
56 dataBuffer[100-1] = L'\0';
57 if(GLOBAL_CONST_FIVE!=5)
58 {
59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
60 printLine("Benign, fixed string");
61 }
62 else
63 {
64 /* FIX: Set data pointer to the allocated memory buffer */
65 data = dataBuffer;
66 }
67 {
68 wchar_t dest[100];
69 wmemset(dest, L'C', 100-1); /* fill with 'C's */
70 dest[100-1] = L'\0'; /* null terminate */
71 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
72 memmove(dest, data, 100*sizeof(wchar_t));
73 /* Ensure null termination */
74 dest[100-1] = L'\0';
75 printWLine(dest);
76 }
77}
78
79/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
80static void goodG2B2()
81{
82 wchar_t * data;
83 wchar_t dataBuffer[100];
84 wmemset(dataBuffer, L'A', 100-1);
85 dataBuffer[100-1] = L'\0';
86 if(GLOBAL_CONST_FIVE==5)
87 {
88 /* FIX: Set data pointer to the allocated memory buffer */
89 data = dataBuffer;
90 }
91 {
92 wchar_t dest[100];
93 wmemset(dest, L'C', 100-1); /* fill with 'C's */
94 dest[100-1] = L'\0'; /* null terminate */
95 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
96 memmove(dest, data, 100*sizeof(wchar_t));
97 /* Ensure null termination */
98 dest[100-1] = L'\0';
99 printWLine(dest);
100 }
101}
102
103void CWE127_Buffer_Underread__wchar_t_declare_memmove_13_good()
104{
105 goodG2B1();
106 goodG2B2();
107}
108
109#endif /* OMITGOOD */
110
111/* Below is the main(). It is only used when building this testcase on
112 * its own for testing or for building a binary to use in testing binary
113 * analysis tools. It is not used when compiling all the testcases as one
114 * application, which is how source code analysis tools are tested.
115 */
116
117#ifdef INCLUDEMAIN
118
119int main(int argc, char * argv[])
120{
121 /* seed randomness */
122 srand( (unsigned)time(NULL) );
123#ifndef OMITGOOD
124 printLine("Calling good()...");
125 CWE127_Buffer_Underread__wchar_t_declare_memmove_13_good();
126 printLine("Finished good()");
127#endif /* OMITGOOD */
128#ifndef OMITBAD
129 printLine("Calling bad()...");
130 CWE127_Buffer_Underread__wchar_t_declare_memmove_13_bad();
131 printLine("Finished bad()");
132#endif /* OMITBAD */
133 return 0;
134}
135
136#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7804: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_ncpy_18.c

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_ncpy_18.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-18.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: ncpy
12 * BadSink : Copy string to data using strncpy
13 * Flow Variant: 18 Control flow: goto statements
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_ncpy_18_bad()
24{
25 char * data;
26 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
27 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
28 goto source;
29source:
30 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
31 * buffer in various memory copying functions using a "large" source buffer. */
32 data = dataBadBuffer;
33 data[0] = '\0'; /* null terminate */
34 {
35 char source[100];
36 memset(source, 'C', 100-1); /* fill with 'C's */
37 source[100-1] = '\0'; /* null terminate */
38 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
39 strncpy(data, source, 100-1);❗VULN
40 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
41 printLine(data);
42 }
43}
44
45#endif /* OMITBAD */
46
47#ifndef OMITGOOD
48
49/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
50static void goodG2B()
51{
52 char * data;
53 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
54 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
55 goto source;
56source:
57 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
58 data = dataGoodBuffer;
59 data[0] = '\0'; /* null terminate */
60 {
61 char source[100];
62 memset(source, 'C', 100-1); /* fill with 'C's */
63 source[100-1] = '\0'; /* null terminate */
64 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
65 strncpy(data, source, 100-1);
66 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
67 printLine(data);
68 }
69}
70
71void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_ncpy_18_good()
72{
73 goodG2B();
74}
75
76#endif /* OMITGOOD */
77
78/* Below is the main(). It is only used when building this testcase on
79 * its own for testing or for building a binary to use in testing binary
80 * analysis tools. It is not used when compiling all the testcases as one
81 * application, which is how source code analysis tools are tested.
82 */
83
84#ifdef INCLUDEMAIN
85
86int main(int argc, char * argv[])
87{
88 /* seed randomness */
89 srand( (unsigned)time(NULL) );
90#ifndef OMITGOOD
91 printLine("Calling good()...");
92 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_ncpy_18_good();
93 printLine("Finished good()");
94#endif /* OMITGOOD */
95#ifndef OMITBAD
96 printLine("Calling bad()...");
97 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_ncpy_18_bad();
98 printLine("Finished bad()");
99#endif /* OMITBAD */
100 return 0;
101}
102
103#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8979: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_32.c

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_32.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-32.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: loop
12 * BadSink : Copy int array to data using a loop
13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_32_bad()
22{
23 int * data;
24 int * *dataPtr1 = &data;
25 int * *dataPtr2 = &data;
26 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));
27 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));
28 {
29 int * data = *dataPtr1;
30 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
31 * buffer in various memory copying functions using a "large" source buffer. */
32 data = dataBadBuffer;
33 *dataPtr1 = data;
34 }
35 {
36 int * data = *dataPtr2;
37 {
38 int source[100] = {0}; /* fill with 0's */
39 {
40 size_t i;
41 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
42 for (i = 0; i < 100; i++)
43 {
44 data[i] = source[i];❗VULN
45 }
46 printIntLine(data[0]);
47 }
48 }
49 }
50}
51
52#endif /* OMITBAD */
53
54#ifndef OMITGOOD
55
56/* goodG2B() uses the GoodSource with the BadSink */
57static void goodG2B()
58{
59 int * data;
60 int * *dataPtr1 = &data;
61 int * *dataPtr2 = &data;
62 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));
63 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));
64 {
65 int * data = *dataPtr1;
66 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
67 data = dataGoodBuffer;
68 *dataPtr1 = data;
69 }
70 {
71 int * data = *dataPtr2;
72 {
73 int source[100] = {0}; /* fill with 0's */
74 {
75 size_t i;
76 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
77 for (i = 0; i < 100; i++)
78 {
79 data[i] = source[i];
80 }
81 printIntLine(data[0]);
82 }
83 }
84 }
85}
86
87void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_32_good()
88{
89 goodG2B();
90}
91
92#endif /* OMITGOOD */
93
94/* Below is the main(). It is only used when building this testcase on
95 * its own for testing or for building a binary to use in testing binary
96 * analysis tools. It is not used when compiling all the testcases as one
97 * application, which is how source code analysis tools are tested.
98 */
99#ifdef INCLUDEMAIN
100
101int main(int argc, char * argv[])
102{
103 /* seed randomness */
104 srand( (unsigned)time(NULL) );
105#ifndef OMITGOOD
106 printLine("Calling good()...");
107 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_32_good();
108 printLine("Finished good()");
109#endif /* OMITGOOD */
110#ifndef OMITBAD
111 printLine("Calling bad()...");
112 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_32_bad();
113 printLine("Finished bad()");
114#endif /* OMITBAD */
115 return 0;
116}
117
118#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7374: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncpy_68b.c

Nodes: 7 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncpy_68b.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-68b.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: ncpy
12 * BadSink : Copy string to data using wcsncpy
13 * Flow Variant: 68 Data flow: data passed as a global variable from one function to another in different source files
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21extern wchar_t * CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncpy_68_badData;
22extern wchar_t * CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncpy_68_goodG2BData;
23
24/* all the sinks are the same, we just want to know where the hit originated if a tool flags one */
25
26#ifndef OMITBAD
27
28void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncpy_68b_badSink()
29{
30 wchar_t * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncpy_68_badData;
31 {
32 wchar_t source[100];
33 wmemset(source, L'C', 100-1); /* fill with L'C's */
34 source[100-1] = L'\0'; /* null terminate */
35 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
36 wcsncpy(data, source, 100-1);❗VULN
37 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
38 printWLine(data);
39 }
40}
41
42#endif /* OMITBAD */
43
44#ifndef OMITGOOD
45
46/* goodG2B uses the GoodSource with the BadSink */
47void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncpy_68b_goodG2BSink()
48{
49 wchar_t * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncpy_68_goodG2BData;
50 {
51 wchar_t source[100];
52 wmemset(source, L'C', 100-1); /* fill with L'C's */
53 source[100-1] = L'\0'; /* null terminate */
54 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
55 wcsncpy(data, source, 100-1);
56 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
57 printWLine(data);
58 }
59}
60
61#endif /* OMITGOOD */

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 753: CWE124_Buffer_Underwrite__char_declare_memcpy_09.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__char_declare_memcpy_09.c
3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml
4Template File: sources-sink-09.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memcpy
12 * BadSink : Copy string to data using memcpy
13 * Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE124_Buffer_Underwrite__char_declare_memcpy_09_bad()
24{
25 char * data;
26 char dataBuffer[100];
27 memset(dataBuffer, 'A', 100-1);
28 dataBuffer[100-1] = '\0';
29 if(GLOBAL_CONST_TRUE)
30 {
31 /* FLAW: Set data pointer to before the allocated memory buffer */
32 data = dataBuffer - 8;
33 }
34 {
35 char source[100];
36 memset(source, 'C', 100-1); /* fill with 'C's */
37 source[100-1] = '\0'; /* null terminate */
38 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
39 memcpy(data, source, 100*sizeof(char));❗VULN
40 /* Ensure the destination buffer is null terminated */
41 data[100-1] = '\0';
42 printLine(data);
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */
51static void goodG2B1()
52{
53 char * data;
54 char dataBuffer[100];
55 memset(dataBuffer, 'A', 100-1);
56 dataBuffer[100-1] = '\0';
57 if(GLOBAL_CONST_FALSE)
58 {
59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
60 printLine("Benign, fixed string");
61 }
62 else
63 {
64 /* FIX: Set data pointer to the allocated memory buffer */
65 data = dataBuffer;
66 }
67 {
68 char source[100];
69 memset(source, 'C', 100-1); /* fill with 'C's */
70 source[100-1] = '\0'; /* null terminate */
71 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
72 memcpy(data, source, 100*sizeof(char));
73 /* Ensure the destination buffer is null terminated */
74 data[100-1] = '\0';
75 printLine(data);
76 }
77}
78
79/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
80static void goodG2B2()
81{
82 char * data;
83 char dataBuffer[100];
84 memset(dataBuffer, 'A', 100-1);
85 dataBuffer[100-1] = '\0';
86 if(GLOBAL_CONST_TRUE)
87 {
88 /* FIX: Set data pointer to the allocated memory buffer */
89 data = dataBuffer;
90 }
91 {
92 char source[100];
93 memset(source, 'C', 100-1); /* fill with 'C's */
94 source[100-1] = '\0'; /* null terminate */
95 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
96 memcpy(data, source, 100*sizeof(char));
97 /* Ensure the destination buffer is null terminated */
98 data[100-1] = '\0';
99 printLine(data);
100 }
101}
102
103void CWE124_Buffer_Underwrite__char_declare_memcpy_09_good()
104{
105 goodG2B1();
106 goodG2B2();
107}
108
109#endif /* OMITGOOD */
110
111/* Below is the main(). It is only used when building this testcase on
112 * its own for testing or for building a binary to use in testing binary
113 * analysis tools. It is not used when compiling all the testcases as one
114 * application, which is how source code analysis tools are tested.
115 */
116
117#ifdef INCLUDEMAIN
118
119int main(int argc, char * argv[])
120{
121 /* seed randomness */
122 srand( (unsigned)time(NULL) );
123#ifndef OMITGOOD
124 printLine("Calling good()...");
125 CWE124_Buffer_Underwrite__char_declare_memcpy_09_good();
126 printLine("Finished good()");
127#endif /* OMITGOOD */
128#ifndef OMITBAD
129 printLine("Calling bad()...");
130 CWE124_Buffer_Underwrite__char_declare_memcpy_09_bad();
131 printLine("Finished bad()");
132#endif /* OMITBAD */
133 return 0;
134}
135
136#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8660: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_14.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_14.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4Template File: sources-sink-14.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sink: memmove
12 * BadSink : Copy int array to data using memmove
13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_14_bad()
22{
23 int * data;
24 data = NULL;
25 if(globalFive==5)
26 {
27 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
28 data = (int *)malloc(50*sizeof(int));
29 if (data == NULL) {exit(-1);}
30 }
31 {
32 int source[100] = {0}; /* fill with 0's */
33 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
34 memmove(data, source, 100*sizeof(int));❗VULN
35 printIntLine(data[0]);
36 free(data);
37 }
38}
39
40#endif /* OMITBAD */
41
42#ifndef OMITGOOD
43
44/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */
45static void goodG2B1()
46{
47 int * data;
48 data = NULL;
49 if(globalFive!=5)
50 {
51 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
52 printLine("Benign, fixed string");
53 }
54 else
55 {
56 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
57 data = (int *)malloc(100*sizeof(int));
58 if (data == NULL) {exit(-1);}
59 }
60 {
61 int source[100] = {0}; /* fill with 0's */
62 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
63 memmove(data, source, 100*sizeof(int));
64 printIntLine(data[0]);
65 free(data);
66 }
67}
68
69/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
70static void goodG2B2()
71{
72 int * data;
73 data = NULL;
74 if(globalFive==5)
75 {
76 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
77 data = (int *)malloc(100*sizeof(int));
78 if (data == NULL) {exit(-1);}
79 }
80 {
81 int source[100] = {0}; /* fill with 0's */
82 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
83 memmove(data, source, 100*sizeof(int));
84 printIntLine(data[0]);
85 free(data);
86 }
87}
88
89void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_14_good()
90{
91 goodG2B1();
92 goodG2B2();
93}
94
95#endif /* OMITGOOD */
96
97/* Below is the main(). It is only used when building this testcase on
98 * its own for testing or for building a binary to use in testing binary
99 * analysis tools. It is not used when compiling all the testcases as one
100 * application, which is how source code analysis tools are tested.
101 */
102
103#ifdef INCLUDEMAIN
104
105int main(int argc, char * argv[])
106{
107 /* seed randomness */
108 srand( (unsigned)time(NULL) );
109#ifndef OMITGOOD
110 printLine("Calling good()...");
111 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_14_good();
112 printLine("Finished good()");
113#endif /* OMITGOOD */
114#ifndef OMITBAD
115 printLine("Calling bad()...");
116 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_14_bad();
117 printLine("Finished bad()");
118#endif /* OMITBAD */
119 return 0;
120}
121
122#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3111: CWE126_Buffer_Overread__malloc_char_memcpy_01.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__malloc_char_memcpy_01.c
3Label Definition File: CWE126_Buffer_Overread__malloc.label.xml
4Template File: sources-sink-01.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Use a small buffer
10 * GoodSource: Use a large buffer
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 01 Baseline
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE126_Buffer_Overread__malloc_char_memcpy_01_bad()
24{
25 char * data;
26 data = NULL;
27 /* FLAW: Use a small buffer */
28 data = (char *)malloc(50*sizeof(char));
29 if (data == NULL) {exit(-1);}
30 memset(data, 'A', 50-1); /* fill with 'A's */
31 data[50-1] = '\0'; /* null terminate */
32 {
33 char dest[100];
34 memset(dest, 'C', 100-1);
35 dest[100-1] = '\0'; /* null terminate */
36 /* POTENTIAL FLAW: using memcpy with the length of the dest where data
37 * could be smaller than dest causing buffer overread */
38 memcpy(dest, data, strlen(dest)*sizeof(char));❗VULN
39 dest[100-1] = '\0';
40 printLine(dest);
41 free(data);
42 }
43}
44
45#endif /* OMITBAD */
46
47#ifndef OMITGOOD
48
49/* goodG2B uses the GoodSource with the BadSink */
50static void goodG2B()
51{
52 char * data;
53 data = NULL;
54 /* FIX: Use a large buffer */
55 data = (char *)malloc(100*sizeof(char));
56 if (data == NULL) {exit(-1);}
57 memset(data, 'A', 100-1); /* fill with 'A's */
58 data[100-1] = '\0'; /* null terminate */
59 {
60 char dest[100];
61 memset(dest, 'C', 100-1);
62 dest[100-1] = '\0'; /* null terminate */
63 /* POTENTIAL FLAW: using memcpy with the length of the dest where data
64 * could be smaller than dest causing buffer overread */
65 memcpy(dest, data, strlen(dest)*sizeof(char));
66 dest[100-1] = '\0';
67 printLine(dest);
68 free(data);
69 }
70}
71
72void CWE126_Buffer_Overread__malloc_char_memcpy_01_good()
73{
74 goodG2B();
75}
76
77#endif /* OMITGOOD */
78
79/* Below is the main(). It is only used when building this testcase on
80 * its own for testing or for building a binary to use in testing binary
81 * analysis tools. It is not used when compiling all the testcases as one
82 * application, which is how source code analysis tools are tested.
83 */
84
85#ifdef INCLUDEMAIN
86
87int main(int argc, char * argv[])
88{
89 /* seed randomness */
90 srand( (unsigned)time(NULL) );
91#ifndef OMITGOOD
92 printLine("Calling good()...");
93 CWE126_Buffer_Overread__malloc_char_memcpy_01_good();
94 printLine("Finished good()");
95#endif /* OMITGOOD */
96#ifndef OMITBAD
97 printLine("Calling bad()...");
98 CWE126_Buffer_Overread__malloc_char_memcpy_01_bad();
99 printLine("Finished bad()");
100#endif /* OMITBAD */
101 return 0;
102}
103
104#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 735: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22a.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22a.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml
4Template File: sources-sink-22a.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: ncat
12 * BadSink : Copy data to string using strncat
13 * Flow Variant: 22 Control flow: Flow controlled by value of a global variable. Sink functions are in a separate file from sources.
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23/* The global variable below is used to drive control flow in the source function */
24int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_badGlobal = 0;
25
26char * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_badSource(char * data);
27
28void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_bad()
29{
30 char * data;
31 data = (char *)malloc(100*sizeof(char));
32 if (data == NULL) {exit(-1);}
33 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_badGlobal = 1; /* true */
34 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_badSource(data);
35 {
36 char dest[50] = "";
37 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/
38 strncat(dest, data, strlen(data));❗VULN
39 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
40 printLine(data);
41 free(data);
42 }
43}
44
45#endif /* OMITBAD */
46
47#ifndef OMITGOOD
48
49/* The global variables below are used to drive control flow in the source functions. */
50int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_goodG2B1Global = 0;
51int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_goodG2B2Global = 0;
52
53/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */
54char * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_goodG2B1Source(char * data);
55
56static void goodG2B1()
57{
58 char * data;
59 data = (char *)malloc(100*sizeof(char));
60 if (data == NULL) {exit(-1);}
61 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_goodG2B1Global = 0; /* false */
62 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_goodG2B1Source(data);
63 {
64 char dest[50] = "";
65 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/
66 strncat(dest, data, strlen(data));
67 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
68 printLine(data);
69 free(data);
70 }
71}
72
73/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */
74char * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_goodG2B2Source(char * data);
75
76static void goodG2B2()
77{
78 char * data;
79 data = (char *)malloc(100*sizeof(char));
80 if (data == NULL) {exit(-1);}
81 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_goodG2B2Global = 1; /* true */
82 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_goodG2B2Source(data);
83 {
84 char dest[50] = "";
85 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/
86 strncat(dest, data, strlen(data));
87 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
88 printLine(data);
89 free(data);
90 }
91}
92
93void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_good()
94{
95 goodG2B1();
96 goodG2B2();
97}
98
99#endif /* OMITGOOD */
100
101/* Below is the main(). It is only used when building this testcase on
102 * its own for testing or for building a binary to use in testing binary
103 * analysis tools. It is not used when compiling all the testcases as one
104 * application, which is how source code analysis tools are tested.
105 */
106
107#ifdef INCLUDEMAIN
108
109int main(int argc, char * argv[])
110{
111 /* seed randomness */
112 srand( (unsigned)time(NULL) );
113#ifndef OMITGOOD
114 printLine("Calling good()...");
115 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_good();
116 printLine("Finished good()");
117#endif /* OMITGOOD */
118#ifndef OMITBAD
119 printLine("Calling bad()...");
120 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncat_22_bad();
121 printLine("Finished bad()");
122#endif /* OMITBAD */
123 return 0;
124}
125
126#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6623: CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_memmove_10.c

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_memmove_10.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml
4Template File: sources-sink-10.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Point data to a buffer that does not have space for a NULL terminator
10 * GoodSource: Point data to a buffer that includes space for a NULL terminator
11 * Sink: memmove
12 * BadSink : Copy string to data using memmove()
13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING "AAAAAAAAAA"
25
26#ifndef OMITBAD
27
28void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_memmove_10_bad()
29{
30 char * data;
31 char dataBadBuffer[10];
32 char dataGoodBuffer[10+1];
33 if(globalTrue)
34 {
35 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing
36 * string copies in the sinks */
37 data = dataBadBuffer;
38 data[0] = '\0'; /* null terminate */
39 }
40 {
41 char source[10+1] = SRC_STRING;
42 /* Copy length + 1 to include NUL terminator from source */
43 /* POTENTIAL FLAW: data may not have enough space to hold source */
44 memmove(data, source, (strlen(source) + 1) * sizeof(char));❗VULN
45 printLine(data);
46 }
47}
48
49#endif /* OMITBAD */
50
51#ifndef OMITGOOD
52
53/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */
54static void goodG2B1()
55{
56 char * data;
57 char dataBadBuffer[10];
58 char dataGoodBuffer[10+1];
59 if(globalFalse)
60 {
61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
62 printLine("Benign, fixed string");
63 }
64 else
65 {
66 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
67 * string copies in the sinks */
68 data = dataGoodBuffer;
69 data[0] = '\0'; /* null terminate */
70 }
71 {
72 char source[10+1] = SRC_STRING;
73 /* Copy length + 1 to include NUL terminator from source */
74 /* POTENTIAL FLAW: data may not have enough space to hold source */
75 memmove(data, source, (strlen(source) + 1) * sizeof(char));
76 printLine(data);
77 }
78}
79
80/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
81static void goodG2B2()
82{
83 char * data;
84 char dataBadBuffer[10];
85 char dataGoodBuffer[10+1];
86 if(globalTrue)
87 {
88 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
89 * string copies in the sinks */
90 data = dataGoodBuffer;
91 data[0] = '\0'; /* null terminate */
92 }
93 {
94 char source[10+1] = SRC_STRING;
95 /* Copy length + 1 to include NUL terminator from source */
96 /* POTENTIAL FLAW: data may not have enough space to hold source */
97 memmove(data, source, (strlen(source) + 1) * sizeof(char));
98 printLine(data);
99 }
100}
101
102void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_memmove_10_good()
103{
104 goodG2B1();
105 goodG2B2();
106}
107
108#endif /* OMITGOOD */
109
110/* Below is the main(). It is only used when building this testcase on
111 * its own for testing or for building a binary to use in testing binary
112 * analysis tools. It is not used when compiling all the testcases as one
113 * application, which is how source code analysis tools are tested.
114 */
115
116#ifdef INCLUDEMAIN
117
118int main(int argc, char * argv[])
119{
120 /* seed randomness */
121 srand( (unsigned)time(NULL) );
122#ifndef OMITGOOD
123 printLine("Calling good()...");
124 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_memmove_10_good();
125 printLine("Finished good()");
126#endif /* OMITGOOD */
127#ifndef OMITBAD
128 printLine("Calling bad()...");
129 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_memmove_10_bad();
130 printLine("Finished bad()");
131#endif /* OMITBAD */
132 return 0;
133}
134
135#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3661: CWE126_Buffer_Overread__wchar_t_alloca_memmove_31.c

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__wchar_t_alloca_memmove_31.c
3Label Definition File: CWE126_Buffer_Overread.stack.label.xml
4Template File: sources-sink-31.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Set data pointer to a small buffer
10 * GoodSource: Set data pointer to a large buffer
11 * Sinks: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 31 Data flow using a copy of data within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE126_Buffer_Overread__wchar_t_alloca_memmove_31_bad()
24{
25 wchar_t * data;
26 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
27 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
28 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */
29 dataBadBuffer[50-1] = L'\0'; /* null terminate */
30 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */
31 dataGoodBuffer[100-1] = L'\0'; /* null terminate */
32 /* FLAW: Set data pointer to a small buffer */
33 data = dataBadBuffer;
34 {
35 wchar_t * dataCopy = data;
36 wchar_t * data = dataCopy;
37 {
38 wchar_t dest[100];
39 wmemset(dest, L'C', 100-1);
40 dest[100-1] = L'\0'; /* null terminate */
41 /* POTENTIAL FLAW: using memmove with the length of the dest where data
42 * could be smaller than dest causing buffer overread */
43 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));❗VULN
44 dest[100-1] = L'\0';
45 printWLine(dest);
46 }
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* goodG2B() uses the GoodSource with the BadSink */
55static void goodG2B()
56{
57 wchar_t * data;
58 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
59 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
60 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */
61 dataBadBuffer[50-1] = L'\0'; /* null terminate */
62 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */
63 dataGoodBuffer[100-1] = L'\0'; /* null terminate */
64 /* FIX: Set data pointer to a large buffer */
65 data = dataGoodBuffer;
66 {
67 wchar_t * dataCopy = data;
68 wchar_t * data = dataCopy;
69 {
70 wchar_t dest[100];
71 wmemset(dest, L'C', 100-1);
72 dest[100-1] = L'\0'; /* null terminate */
73 /* POTENTIAL FLAW: using memmove with the length of the dest where data
74 * could be smaller than dest causing buffer overread */
75 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));
76 dest[100-1] = L'\0';
77 printWLine(dest);
78 }
79 }
80}
81
82void CWE126_Buffer_Overread__wchar_t_alloca_memmove_31_good()
83{
84 goodG2B();
85}
86
87#endif /* OMITGOOD */
88
89/* Below is the main(). It is only used when building this testcase on
90 * its own for testing or for building a binary to use in testing binary
91 * analysis tools. It is not used when compiling all the testcases as one
92 * application, which is how source code analysis tools are tested.
93 */
94#ifdef INCLUDEMAIN
95
96int main(int argc, char * argv[])
97{
98 /* seed randomness */
99 srand( (unsigned)time(NULL) );
100#ifndef OMITGOOD
101 printLine("Calling good()...");
102 CWE126_Buffer_Overread__wchar_t_alloca_memmove_31_good();
103 printLine("Finished good()");
104#endif /* OMITGOOD */
105#ifndef OMITBAD
106 printLine("Calling bad()...");
107 CWE126_Buffer_Overread__wchar_t_alloca_memmove_31_bad();
108 printLine("Finished bad()");
109#endif /* OMITBAD */
110 return 0;
111}
112
113#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 506: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_15.c

Nodes: 17 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_15.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-15.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: memcpy
12 * BadSink : Copy string to data using memcpy
13 * Flow Variant: 15 Control flow: switch(6)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_15_bad()
24{
25 char * data;
26 char dataBadBuffer[50];
27 char dataGoodBuffer[100];
28 switch(6)
29 {
30 case 6:
31 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
32 * buffer in various memory copying functions using a "large" source buffer. */
33 data = dataBadBuffer;
34 data[0] = '\0'; /* null terminate */
35 break;
36 default:
37 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
38 printLine("Benign, fixed string");
39 break;
40 }
41 {
42 char source[100];
43 memset(source, 'C', 100-1); /* fill with 'C's */
44 source[100-1] = '\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
46 memcpy(data, source, 100*sizeof(char));❗VULN
47 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
48 printLine(data);
49 }
50}
51
52#endif /* OMITBAD */
53
54#ifndef OMITGOOD
55
56/* goodG2B1() - use goodsource and badsink by changing the switch to switch(5) */
57static void goodG2B1()
58{
59 char * data;
60 char dataBadBuffer[50];
61 char dataGoodBuffer[100];
62 switch(5)
63 {
64 case 6:
65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
66 printLine("Benign, fixed string");
67 break;
68 default:
69 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
70 data = dataGoodBuffer;
71 data[0] = '\0'; /* null terminate */
72 break;
73 }
74 {
75 char source[100];
76 memset(source, 'C', 100-1); /* fill with 'C's */
77 source[100-1] = '\0'; /* null terminate */
78 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
79 memcpy(data, source, 100*sizeof(char));
80 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
81 printLine(data);
82 }
83}
84
85/* goodG2B2() - use goodsource and badsink by reversing the blocks in the switch */
86static void goodG2B2()
87{
88 char * data;
89 char dataBadBuffer[50];
90 char dataGoodBuffer[100];
91 switch(6)
92 {
93 case 6:
94 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
95 data = dataGoodBuffer;
96 data[0] = '\0'; /* null terminate */
97 break;
98 default:
99 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
100 printLine("Benign, fixed string");
101 break;
102 }
103 {
104 char source[100];
105 memset(source, 'C', 100-1); /* fill with 'C's */
106 source[100-1] = '\0'; /* null terminate */
107 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
108 memcpy(data, source, 100*sizeof(char));
109 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
110 printLine(data);
111 }
112}
113
114void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_15_good()
115{
116 goodG2B1();
117 goodG2B2();
118}
119
120#endif /* OMITGOOD */
121
122/* Below is the main(). It is only used when building this testcase on
123 * its own for testing or for building a binary to use in testing binary
124 * analysis tools. It is not used when compiling all the testcases as one
125 * application, which is how source code analysis tools are tested.
126 */
127
128#ifdef INCLUDEMAIN
129
130int main(int argc, char * argv[])
131{
132 /* seed randomness */
133 srand( (unsigned)time(NULL) );
134#ifndef OMITGOOD
135 printLine("Calling good()...");
136 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_15_good();
137 printLine("Finished good()");
138#endif /* OMITGOOD */
139#ifndef OMITBAD
140 printLine("Calling bad()...");
141 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memcpy_15_bad();
142 printLine("Finished bad()");
143#endif /* OMITBAD */
144 return 0;
145}
146
147#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1203: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_07.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_07.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-07.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: loop
12 * BadSink : Copy int array to data using a loop
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19/* The variable below is not declared "const", but is never assigned
20 * any other value so a tool should be able to identify that reads of
21 * this will always give its initialized value.
22 */
23static int staticFive = 5;
24
25#ifndef OMITBAD
26
27void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_07_bad()
28{
29 int * data;
30 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));
31 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));
32 if(staticFive==5)
33 {
34 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
35 * buffer in various memory copying functions using a "large" source buffer. */
36 data = dataBadBuffer;
37 }
38 {
39 int source[100] = {0}; /* fill with 0's */
40 {
41 size_t i;
42 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
43 for (i = 0; i < 100; i++)
44 {
45 data[i] = source[i];❗VULN
46 }
47 printIntLine(data[0]);
48 }
49 }
50}
51
52#endif /* OMITBAD */
53
54#ifndef OMITGOOD
55
56/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
57static void goodG2B1()
58{
59 int * data;
60 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));
61 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));
62 if(staticFive!=5)
63 {
64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
65 printLine("Benign, fixed string");
66 }
67 else
68 {
69 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
70 data = dataGoodBuffer;
71 }
72 {
73 int source[100] = {0}; /* fill with 0's */
74 {
75 size_t i;
76 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
77 for (i = 0; i < 100; i++)
78 {
79 data[i] = source[i];
80 }
81 printIntLine(data[0]);
82 }
83 }
84}
85
86/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
87static void goodG2B2()
88{
89 int * data;
90 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));
91 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));
92 if(staticFive==5)
93 {
94 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
95 data = dataGoodBuffer;
96 }
97 {
98 int source[100] = {0}; /* fill with 0's */
99 {
100 size_t i;
101 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
102 for (i = 0; i < 100; i++)
103 {
104 data[i] = source[i];
105 }
106 printIntLine(data[0]);
107 }
108 }
109}
110
111void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_07_good()
112{
113 goodG2B1();
114 goodG2B2();
115}
116
117#endif /* OMITGOOD */
118
119/* Below is the main(). It is only used when building this testcase on
120 * its own for testing or for building a binary to use in testing binary
121 * analysis tools. It is not used when compiling all the testcases as one
122 * application, which is how source code analysis tools are tested.
123 */
124
125#ifdef INCLUDEMAIN
126
127int main(int argc, char * argv[])
128{
129 /* seed randomness */
130 srand( (unsigned)time(NULL) );
131#ifndef OMITGOOD
132 printLine("Calling good()...");
133 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_07_good();
134 printLine("Finished good()");
135#endif /* OMITGOOD */
136#ifndef OMITBAD
137 printLine("Calling bad()...");
138 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_loop_07_bad();
139 printLine("Finished bad()");
140#endif /* OMITBAD */
141 return 0;
142}
143
144#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1046: CWE127_Buffer_Underread__char_declare_memcpy_04.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__char_declare_memcpy_04.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-04.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are declared "const", so a tool should
22 * be able to identify that reads of these will always return their
23 * initialized values.
24 */
25static const int STATIC_CONST_TRUE = 1; /* true */
26static const int STATIC_CONST_FALSE = 0; /* false */
27
28#ifndef OMITBAD
29
30void CWE127_Buffer_Underread__char_declare_memcpy_04_bad()
31{
32 char * data;
33 char dataBuffer[100];
34 memset(dataBuffer, 'A', 100-1);
35 dataBuffer[100-1] = '\0';
36 if(STATIC_CONST_TRUE)
37 {
38 /* FLAW: Set data pointer to before the allocated memory buffer */
39 data = dataBuffer - 8;
40 }
41 {
42 char dest[100];
43 memset(dest, 'C', 100-1); /* fill with 'C's */
44 dest[100-1] = '\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
46 memcpy(dest, data, 100*sizeof(char));❗VULN
47 /* Ensure null termination */
48 dest[100-1] = '\0';
49 printLine(dest);
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */
58static void goodG2B1()
59{
60 char * data;
61 char dataBuffer[100];
62 memset(dataBuffer, 'A', 100-1);
63 dataBuffer[100-1] = '\0';
64 if(STATIC_CONST_FALSE)
65 {
66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
67 printLine("Benign, fixed string");
68 }
69 else
70 {
71 /* FIX: Set data pointer to the allocated memory buffer */
72 data = dataBuffer;
73 }
74 {
75 char dest[100];
76 memset(dest, 'C', 100-1); /* fill with 'C's */
77 dest[100-1] = '\0'; /* null terminate */
78 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
79 memcpy(dest, data, 100*sizeof(char));
80 /* Ensure null termination */
81 dest[100-1] = '\0';
82 printLine(dest);
83 }
84}
85
86/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
87static void goodG2B2()
88{
89 char * data;
90 char dataBuffer[100];
91 memset(dataBuffer, 'A', 100-1);
92 dataBuffer[100-1] = '\0';
93 if(STATIC_CONST_TRUE)
94 {
95 /* FIX: Set data pointer to the allocated memory buffer */
96 data = dataBuffer;
97 }
98 {
99 char dest[100];
100 memset(dest, 'C', 100-1); /* fill with 'C's */
101 dest[100-1] = '\0'; /* null terminate */
102 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
103 memcpy(dest, data, 100*sizeof(char));
104 /* Ensure null termination */
105 dest[100-1] = '\0';
106 printLine(dest);
107 }
108}
109
110void CWE127_Buffer_Underread__char_declare_memcpy_04_good()
111{
112 goodG2B1();
113 goodG2B2();
114}
115
116#endif /* OMITGOOD */
117
118/* Below is the main(). It is only used when building this testcase on
119 * its own for testing or for building a binary to use in testing binary
120 * analysis tools. It is not used when compiling all the testcases as one
121 * application, which is how source code analysis tools are tested.
122 */
123
124#ifdef INCLUDEMAIN
125
126int main(int argc, char * argv[])
127{
128 /* seed randomness */
129 srand( (unsigned)time(NULL) );
130#ifndef OMITGOOD
131 printLine("Calling good()...");
132 CWE127_Buffer_Underread__char_declare_memcpy_04_good();
133 printLine("Finished good()");
134#endif /* OMITGOOD */
135#ifndef OMITBAD
136 printLine("Calling bad()...");
137 CWE127_Buffer_Underread__char_declare_memcpy_04_bad();
138 printLine("Finished bad()");
139#endif /* OMITBAD */
140 return 0;
141}
142
143#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3624: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45.c

Nodes: 6 | Sink Nodes: 2 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-45.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sinks: swprintf
12 * BadSink : Copy string to data using swprintf
13 * Flow Variant: 45 Data flow: data passed as a static global variable from one function to another in the same source file
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifdef _WIN32
22#define SNPRINTF _snwprintf
23#else
24#define SNPRINTF swprintf
25#endif
26
27static wchar_t * CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_badData;
28static wchar_t * CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_goodG2BData;
29
30#ifndef OMITBAD
31
32static void badSink()
33{
34 wchar_t * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_badData;
35 {
36 wchar_t source[100];
37 wmemset(source, L'C', 100-1); /* fill with L'C's */
38 source[100-1] = L'\0'; /* null terminate */
39 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
40 SNPRINTF(data, 100, L"%s", source);❗VULN
41 printWLine(data);
42 }
43}
44
45void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_bad()
46{
47 wchar_t * data;
48 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
49 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
50 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
51 * buffer in various memory copying functions using a "large" source buffer. */
52 data = dataBadBuffer;
53 data[0] = L'\0'; /* null terminate */
54 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_badData = data;
55 badSink();
56}
57
58#endif /* OMITBAD */
59
60#ifndef OMITGOOD
61
62/* goodG2B() uses the GoodSource with the BadSink */
63static void goodG2BSink()
64{
65 wchar_t * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_goodG2BData;
66 {
67 wchar_t source[100];
68 wmemset(source, L'C', 100-1); /* fill with L'C's */
69 source[100-1] = L'\0'; /* null terminate */
70 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
71 SNPRINTF(data, 100, L"%s", source);
72 printWLine(data);
73 }
74}
75
76static void goodG2B()
77{
78 wchar_t * data;
79 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
80 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
81 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
82 data = dataGoodBuffer;
83 data[0] = L'\0'; /* null terminate */
84 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_goodG2BData = data;
85 goodG2BSink();
86}
87
88void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_good()
89{
90 goodG2B();
91}
92
93#endif /* OMITGOOD */
94
95/* Below is the main(). It is only used when building this testcase on
96 * its own for testing or for building a binary to use in testing binary
97 * analysis tools. It is not used when compiling all the testcases as one
98 * application, which is how source code analysis tools are tested.
99 */
100#ifdef INCLUDEMAIN
101
102int main(int argc, char * argv[])
103{
104 /* seed randomness */
105 srand( (unsigned)time(NULL) );
106#ifndef OMITGOOD
107 printLine("Calling good()...");
108 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_good();
109 printLine("Finished good()");
110#endif /* OMITGOOD */
111#ifndef OMITBAD
112 printLine("Calling bad()...");
113 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_snprintf_45_bad();
114 printLine("Finished bad()");
115#endif /* OMITBAD */
116 return 0;
117}
118
119#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1721: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_10.c

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_10.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4Template File: sources-sink-10.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sink: ncat
12 * BadSink : Copy string to data using strncat
13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_10_bad()
24{
25 char * data;
26 data = NULL;
27 if(globalTrue)
28 {
29 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
30 data = (char *)malloc(50*sizeof(char));
31 if (data == NULL) {exit(-1);}
32 data[0] = '\0'; /* null terminate */
33 }
34 {
35 char source[100];
36 memset(source, 'C', 100-1); /* fill with 'C's */
37 source[100-1] = '\0'; /* null terminate */
38 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
39 strncat(data, source, 100);❗VULN
40 printLine(data);
41 free(data);
42 }
43}
44
45#endif /* OMITBAD */
46
47#ifndef OMITGOOD
48
49/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */
50static void goodG2B1()
51{
52 char * data;
53 data = NULL;
54 if(globalFalse)
55 {
56 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
57 printLine("Benign, fixed string");
58 }
59 else
60 {
61 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
62 data = (char *)malloc(100*sizeof(char));
63 if (data == NULL) {exit(-1);}
64 data[0] = '\0'; /* null terminate */
65 }
66 {
67 char source[100];
68 memset(source, 'C', 100-1); /* fill with 'C's */
69 source[100-1] = '\0'; /* null terminate */
70 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
71 strncat(data, source, 100);
72 printLine(data);
73 free(data);
74 }
75}
76
77/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
78static void goodG2B2()
79{
80 char * data;
81 data = NULL;
82 if(globalTrue)
83 {
84 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
85 data = (char *)malloc(100*sizeof(char));
86 if (data == NULL) {exit(-1);}
87 data[0] = '\0'; /* null terminate */
88 }
89 {
90 char source[100];
91 memset(source, 'C', 100-1); /* fill with 'C's */
92 source[100-1] = '\0'; /* null terminate */
93 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
94 strncat(data, source, 100);
95 printLine(data);
96 free(data);
97 }
98}
99
100void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_10_good()
101{
102 goodG2B1();
103 goodG2B2();
104}
105
106#endif /* OMITGOOD */
107
108/* Below is the main(). It is only used when building this testcase on
109 * its own for testing or for building a binary to use in testing binary
110 * analysis tools. It is not used when compiling all the testcases as one
111 * application, which is how source code analysis tools are tested.
112 */
113
114#ifdef INCLUDEMAIN
115
116int main(int argc, char * argv[])
117{
118 /* seed randomness */
119 srand( (unsigned)time(NULL) );
120#ifndef OMITGOOD
121 printLine("Calling good()...");
122 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_10_good();
123 printLine("Finished good()");
124#endif /* OMITGOOD */
125#ifndef OMITBAD
126 printLine("Calling bad()...");
127 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_10_bad();
128 printLine("Finished bad()");
129#endif /* OMITBAD */
130 return 0;
131}
132
133#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4130: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml
4Template File: sources-sink-34.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 * GoodSource: Allocate enough memory for a string and the NULL terminator
11 * Sinks: cpy
12 * BadSink : Copy string to data using strcpy()
13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING "AAAAAAAAAA"
25
26typedef union
27{
28 char * unionFirst;
29 char * unionSecond;
30} CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34_unionType;
31
32#ifndef OMITBAD
33
34void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34_bad()
35{
36 char * data;
37 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34_unionType myUnion;
38 data = NULL;
39 /* FLAW: Did not leave space for a null terminator */
40 data = (char *)malloc(10*sizeof(char));
41 if (data == NULL) {exit(-1);}
42 myUnion.unionFirst = data;
43 {
44 char * data = myUnion.unionSecond;
45 {
46 char source[10+1] = SRC_STRING;
47 /* POTENTIAL FLAW: data may not have enough space to hold source */
48 strcpy(data, source);❗VULN
49 printLine(data);
50 free(data);
51 }
52 }
53}
54
55#endif /* OMITBAD */
56
57#ifndef OMITGOOD
58
59/* goodG2B() uses the GoodSource with the BadSink */
60static void goodG2B()
61{
62 char * data;
63 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34_unionType myUnion;
64 data = NULL;
65 /* FIX: Allocate space for a null terminator */
66 data = (char *)malloc((10+1)*sizeof(char));
67 if (data == NULL) {exit(-1);}
68 myUnion.unionFirst = data;
69 {
70 char * data = myUnion.unionSecond;
71 {
72 char source[10+1] = SRC_STRING;
73 /* POTENTIAL FLAW: data may not have enough space to hold source */
74 strcpy(data, source);
75 printLine(data);
76 free(data);
77 }
78 }
79}
80
81void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34_good()
82{
83 goodG2B();
84}
85
86#endif /* OMITGOOD */
87
88/* Below is the main(). It is only used when building this testcase on
89 * its own for testing or for building a binary to use in testing binary
90 * analysis tools. It is not used when compiling all the testcases as one
91 * application, which is how source code analysis tools are tested.
92 */
93#ifdef INCLUDEMAIN
94
95int main(int argc, char * argv[])
96{
97 /* seed randomness */
98 srand( (unsigned)time(NULL) );
99#ifndef OMITGOOD
100 printLine("Calling good()...");
101 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34_good();
102 printLine("Finished good()");
103#endif /* OMITGOOD */
104#ifndef OMITBAD
105 printLine("Calling bad()...");
106 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_cpy_34_bad();
107 printLine("Finished bad()");
108#endif /* OMITBAD */
109 return 0;
110}
111
112#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4245: CWE126_Buffer_Overread__wchar_t_alloca_loop_08.c

Nodes: 20 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__wchar_t_alloca_loop_08.c
3Label Definition File: CWE126_Buffer_Overread.stack.label.xml
4Template File: sources-sink-08.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Set data pointer to a small buffer
10 * GoodSource: Set data pointer to a large buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(staticReturnsFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two function below always return the same value, so a tool
22 * should be able to identify that calls to the functions will always
23 * return a fixed value.
24 */
25static int staticReturnsTrue()
26{
27 return 1;
28}
29
30static int staticReturnsFalse()
31{
32 return 0;
33}
34
35#ifndef OMITBAD
36
37void CWE126_Buffer_Overread__wchar_t_alloca_loop_08_bad()
38{
39 wchar_t * data;
40 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
41 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
42 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */
43 dataBadBuffer[50-1] = L'\0'; /* null terminate */
44 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */
45 dataGoodBuffer[100-1] = L'\0'; /* null terminate */
46 if(staticReturnsTrue())
47 {
48 /* FLAW: Set data pointer to a small buffer */
49 data = dataBadBuffer;
50 }
51 {
52 size_t i, destLen;
53 wchar_t dest[100];
54 wmemset(dest, L'C', 100-1);
55 dest[100-1] = L'\0'; /* null terminate */
56 destLen = wcslen(dest);
57 /* POTENTIAL FLAW: using length of the dest where data
58 * could be smaller than dest causing buffer overread */
59 for (i = 0; i < destLen; i++)
60 {
61 dest[i] = data[i];❗VULN
62 }
63 dest[100-1] = L'\0';
64 printWLine(dest);
65 }
66}
67
68#endif /* OMITBAD */
69
70#ifndef OMITGOOD
71
72/* goodG2B1() - use goodsource and badsink by changing the staticReturnsTrue() to staticReturnsFalse() */
73static void goodG2B1()
74{
75 wchar_t * data;
76 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
77 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
78 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */
79 dataBadBuffer[50-1] = L'\0'; /* null terminate */
80 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */
81 dataGoodBuffer[100-1] = L'\0'; /* null terminate */
82 if(staticReturnsFalse())
83 {
84 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
85 printLine("Benign, fixed string");
86 }
87 else
88 {
89 /* FIX: Set data pointer to a large buffer */
90 data = dataGoodBuffer;
91 }
92 {
93 size_t i, destLen;
94 wchar_t dest[100];
95 wmemset(dest, L'C', 100-1);
96 dest[100-1] = L'\0'; /* null terminate */
97 destLen = wcslen(dest);
98 /* POTENTIAL FLAW: using length of the dest where data
99 * could be smaller than dest causing buffer overread */
100 for (i = 0; i < destLen; i++)
101 {
102 dest[i] = data[i];
103 }
104 dest[100-1] = L'\0';
105 printWLine(dest);
106 }
107}
108
109/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
110static void goodG2B2()
111{
112 wchar_t * data;
113 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
114 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
115 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */
116 dataBadBuffer[50-1] = L'\0'; /* null terminate */
117 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */
118 dataGoodBuffer[100-1] = L'\0'; /* null terminate */
119 if(staticReturnsTrue())
120 {
121 /* FIX: Set data pointer to a large buffer */
122 data = dataGoodBuffer;
123 }
124 {
125 size_t i, destLen;
126 wchar_t dest[100];
127 wmemset(dest, L'C', 100-1);
128 dest[100-1] = L'\0'; /* null terminate */
129 destLen = wcslen(dest);
130 /* POTENTIAL FLAW: using length of the dest where data
131 * could be smaller than dest causing buffer overread */
132 for (i = 0; i < destLen; i++)
133 {
134 dest[i] = data[i];
135 }
136 dest[100-1] = L'\0';
137 printWLine(dest);
138 }
139}
140
141void CWE126_Buffer_Overread__wchar_t_alloca_loop_08_good()
142{
143 goodG2B1();
144 goodG2B2();
145}
146
147#endif /* OMITGOOD */
148
149/* Below is the main(). It is only used when building this testcase on
150 * its own for testing or for building a binary to use in testing binary
151 * analysis tools. It is not used when compiling all the testcases as one
152 * application, which is how source code analysis tools are tested.
153 */
154
155#ifdef INCLUDEMAIN
156
157int main(int argc, char * argv[])
158{
159 /* seed randomness */
160 srand( (unsigned)time(NULL) );
161#ifndef OMITGOOD
162 printLine("Calling good()...");
163 CWE126_Buffer_Overread__wchar_t_alloca_loop_08_good();
164 printLine("Finished good()");
165#endif /* OMITGOOD */
166#ifndef OMITBAD
167 printLine("Calling bad()...");
168 CWE126_Buffer_Overread__wchar_t_alloca_loop_08_bad();
169 printLine("Finished bad()");
170#endif /* OMITBAD */
171 return 0;
172}
173
174#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4608: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memmove_05.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memmove_05.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4Template File: sources-sink-05.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sink: memmove
12 * BadSink : Copy int64_t array to data using memmove
13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19/* The two variables below are not defined as "const", but are never
20 * assigned any other value, so a tool should be able to identify that
21 * reads of these will always return their initialized values.
22 */
23static int staticTrue = 1; /* true */
24static int staticFalse = 0; /* false */
25
26#ifndef OMITBAD
27
28void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memmove_05_bad()
29{
30 int64_t * data;
31 data = NULL;
32 if(staticTrue)
33 {
34 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
35 data = (int64_t *)malloc(50*sizeof(int64_t));
36 if (data == NULL) {exit(-1);}
37 }
38 {
39 int64_t source[100] = {0}; /* fill with 0's */
40 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
41 memmove(data, source, 100*sizeof(int64_t));❗VULN
42 printLongLongLine(data[0]);
43 free(data);
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */
52static void goodG2B1()
53{
54 int64_t * data;
55 data = NULL;
56 if(staticFalse)
57 {
58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
59 printLine("Benign, fixed string");
60 }
61 else
62 {
63 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
64 data = (int64_t *)malloc(100*sizeof(int64_t));
65 if (data == NULL) {exit(-1);}
66 }
67 {
68 int64_t source[100] = {0}; /* fill with 0's */
69 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
70 memmove(data, source, 100*sizeof(int64_t));
71 printLongLongLine(data[0]);
72 free(data);
73 }
74}
75
76/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
77static void goodG2B2()
78{
79 int64_t * data;
80 data = NULL;
81 if(staticTrue)
82 {
83 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
84 data = (int64_t *)malloc(100*sizeof(int64_t));
85 if (data == NULL) {exit(-1);}
86 }
87 {
88 int64_t source[100] = {0}; /* fill with 0's */
89 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
90 memmove(data, source, 100*sizeof(int64_t));
91 printLongLongLine(data[0]);
92 free(data);
93 }
94}
95
96void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memmove_05_good()
97{
98 goodG2B1();
99 goodG2B2();
100}
101
102#endif /* OMITGOOD */
103
104/* Below is the main(). It is only used when building this testcase on
105 * its own for testing or for building a binary to use in testing binary
106 * analysis tools. It is not used when compiling all the testcases as one
107 * application, which is how source code analysis tools are tested.
108 */
109
110#ifdef INCLUDEMAIN
111
112int main(int argc, char * argv[])
113{
114 /* seed randomness */
115 srand( (unsigned)time(NULL) );
116#ifndef OMITGOOD
117 printLine("Calling good()...");
118 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memmove_05_good();
119 printLine("Finished good()");
120#endif /* OMITGOOD */
121#ifndef OMITBAD
122 printLine("Calling bad()...");
123 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memmove_05_bad();
124 printLine("Finished bad()");
125#endif /* OMITBAD */
126 return 0;
127}
128
129#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2343: CWE122_Heap_Based_Buffer_Overflow__cpp_dest_wchar_t_cpy_17.cpp

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_dest_wchar_t_cpy_17.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_dest.label.xml
4Template File: sources-sink-17.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: cpy
12 * BadSink : Copy string to data using wcscpy
13 * Flow Variant: 17 Control flow: for loops
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_dest_wchar_t_cpy_17
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 int i;
29 wchar_t * data;
30 data = NULL;
31 for(i = 0; i < 1; i++)
32 {
33 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
34 data = new wchar_t[50];
35 data[0] = L'\0'; /* null terminate */
36 }
37 {
38 wchar_t source[100];
39 wmemset(source, L'C', 100-1); /* fill with L'C's */
40 source[100-1] = L'\0'; /* null terminate */
41 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
42 wcscpy(data, source);❗VULN
43 printWLine(data);
44 delete [] data;
45 }
46}
47
48#endif /* OMITBAD */
49
50#ifndef OMITGOOD
51
52/* goodG2B() - use goodsource in the for statement */
53static void goodG2B()
54{
55 int h;
56 wchar_t * data;
57 data = NULL;
58 for(h = 0; h < 1; h++)
59 {
60 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
61 data = new wchar_t[100];
62 data[0] = L'\0'; /* null terminate */
63 }
64 {
65 wchar_t source[100];
66 wmemset(source, L'C', 100-1); /* fill with L'C's */
67 source[100-1] = L'\0'; /* null terminate */
68 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
69 wcscpy(data, source);
70 printWLine(data);
71 delete [] data;
72 }
73}
74
75void good()
76{
77 goodG2B();
78}
79
80#endif /* OMITGOOD */
81
82} /* close namespace */
83
84/* Below is the main(). It is only used when building this testcase on
85 its own for testing or for building a binary to use in testing binary
86 analysis tools. It is not used when compiling all the testcases as one
87 application, which is how source code analysis tools are tested. */
88
89#ifdef INCLUDEMAIN
90
91using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_dest_wchar_t_cpy_17; /* so that we can use good and bad easily */
92
93int main(int argc, char * argv[])
94{
95 /* seed randomness */
96 srand( (unsigned)time(NULL) );
97#ifndef OMITGOOD
98 printLine("Calling good()...");
99 good();
100 printLine("Finished good()");
101#endif /* OMITGOOD */
102#ifndef OMITBAD
103 printLine("Calling bad()...");
104 bad();
105 printLine("Finished bad()");
106#endif /* OMITBAD */
107 return 0;
108}
109
110#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 275: CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_12.c

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_12.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml
4Template File: sources-sink-12.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Point data to a buffer that does not have space for a NULL terminator
10 * GoodSource: Point data to a buffer that includes space for a NULL terminator
11 * Sink: loop
12 * BadSink : Copy array to data using a loop
13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING L"AAAAAAAAAA"
25
26#ifndef OMITBAD
27
28void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_12_bad()
29{
30 wchar_t * data;
31 wchar_t dataBadBuffer[10];
32 wchar_t dataGoodBuffer[10+1];
33 if(globalReturnsTrueOrFalse())
34 {
35 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing
36 * string copies in the sinks */
37 data = dataBadBuffer;
38 data[0] = L'\0'; /* null terminate */
39 }
40 else
41 {
42 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
43 * string copies in the sinks */
44 data = dataGoodBuffer;
45 data[0] = L'\0'; /* null terminate */
46 }
47 {
48 wchar_t source[10+1] = SRC_STRING;
49 size_t i, sourceLen;
50 sourceLen = wcslen(source);
51 /* Copy length + 1 to include NUL terminator from source */
52 /* POTENTIAL FLAW: data may not have enough space to hold source */
53 for (i = 0; i < sourceLen + 1; i++)
54 {
55 data[i] = source[i];❗VULN
56 }
57 printWLine(data);
58 }
59}
60
61#endif /* OMITBAD */
62
63#ifndef OMITGOOD
64
65/* goodG2B() - use goodsource and badsink by changing the "if" so that
66 * both branches use the GoodSource */
67static void goodG2B()
68{
69 wchar_t * data;
70 wchar_t dataBadBuffer[10];
71 wchar_t dataGoodBuffer[10+1];
72 if(globalReturnsTrueOrFalse())
73 {
74 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
75 * string copies in the sinks */
76 data = dataGoodBuffer;
77 data[0] = L'\0'; /* null terminate */
78 }
79 else
80 {
81 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
82 * string copies in the sinks */
83 data = dataGoodBuffer;
84 data[0] = L'\0'; /* null terminate */
85 }
86 {
87 wchar_t source[10+1] = SRC_STRING;
88 size_t i, sourceLen;
89 sourceLen = wcslen(source);
90 /* Copy length + 1 to include NUL terminator from source */
91 /* POTENTIAL FLAW: data may not have enough space to hold source */
92 for (i = 0; i < sourceLen + 1; i++)
93 {
94 data[i] = source[i];
95 }
96 printWLine(data);
97 }
98}
99
100void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_12_good()
101{
102 goodG2B();
103}
104
105#endif /* OMITGOOD */
106
107/* Below is the main(). It is only used when building this testcase on
108 * its own for testing or for building a binary to use in testing binary
109 * analysis tools. It is not used when compiling all the testcases as one
110 * application, which is how source code analysis tools are tested.
111 */
112
113#ifdef INCLUDEMAIN
114
115int main(int argc, char * argv[])
116{
117 /* seed randomness */
118 srand( (unsigned)time(NULL) );
119#ifndef OMITGOOD
120 printLine("Calling good()...");
121 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_12_good();
122 printLine("Finished good()");
123#endif /* OMITGOOD */
124#ifndef OMITBAD
125 printLine("Calling bad()...");
126 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_12_bad();
127 printLine("Finished bad()");
128#endif /* OMITBAD */
129 return 0;
130}
131
132#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2609: CWE127_Buffer_Underread__char_declare_ncpy_08.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__char_declare_ncpy_08.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-08.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: ncpy
12 * BadSink : Copy data to string using strncpy
13 * Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(staticReturnsFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two function below always return the same value, so a tool
22 * should be able to identify that calls to the functions will always
23 * return a fixed value.
24 */
25static int staticReturnsTrue()
26{
27 return 1;
28}
29
30static int staticReturnsFalse()
31{
32 return 0;
33}
34
35#ifndef OMITBAD
36
37void CWE127_Buffer_Underread__char_declare_ncpy_08_bad()
38{
39 char * data;
40 char dataBuffer[100];
41 memset(dataBuffer, 'A', 100-1);
42 dataBuffer[100-1] = '\0';
43 if(staticReturnsTrue())
44 {
45 /* FLAW: Set data pointer to before the allocated memory buffer */
46 data = dataBuffer - 8;
47 }
48 {
49 char dest[100];
50 memset(dest, 'C', 100-1); /* fill with 'C's */
51 dest[100-1] = '\0'; /* null terminate */
52 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
53 strncpy(dest, data, strlen(dest));❗VULN
54 /* Ensure null termination */
55 dest[100-1] = '\0';
56 printLine(dest);
57 }
58}
59
60#endif /* OMITBAD */
61
62#ifndef OMITGOOD
63
64/* goodG2B1() - use goodsource and badsink by changing the staticReturnsTrue() to staticReturnsFalse() */
65static void goodG2B1()
66{
67 char * data;
68 char dataBuffer[100];
69 memset(dataBuffer, 'A', 100-1);
70 dataBuffer[100-1] = '\0';
71 if(staticReturnsFalse())
72 {
73 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
74 printLine("Benign, fixed string");
75 }
76 else
77 {
78 /* FIX: Set data pointer to the allocated memory buffer */
79 data = dataBuffer;
80 }
81 {
82 char dest[100];
83 memset(dest, 'C', 100-1); /* fill with 'C's */
84 dest[100-1] = '\0'; /* null terminate */
85 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
86 strncpy(dest, data, strlen(dest));
87 /* Ensure null termination */
88 dest[100-1] = '\0';
89 printLine(dest);
90 }
91}
92
93/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
94static void goodG2B2()
95{
96 char * data;
97 char dataBuffer[100];
98 memset(dataBuffer, 'A', 100-1);
99 dataBuffer[100-1] = '\0';
100 if(staticReturnsTrue())
101 {
102 /* FIX: Set data pointer to the allocated memory buffer */
103 data = dataBuffer;
104 }
105 {
106 char dest[100];
107 memset(dest, 'C', 100-1); /* fill with 'C's */
108 dest[100-1] = '\0'; /* null terminate */
109 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
110 strncpy(dest, data, strlen(dest));
111 /* Ensure null termination */
112 dest[100-1] = '\0';
113 printLine(dest);
114 }
115}
116
117void CWE127_Buffer_Underread__char_declare_ncpy_08_good()
118{
119 goodG2B1();
120 goodG2B2();
121}
122
123#endif /* OMITGOOD */
124
125/* Below is the main(). It is only used when building this testcase on
126 * its own for testing or for building a binary to use in testing binary
127 * analysis tools. It is not used when compiling all the testcases as one
128 * application, which is how source code analysis tools are tested.
129 */
130
131#ifdef INCLUDEMAIN
132
133int main(int argc, char * argv[])
134{
135 /* seed randomness */
136 srand( (unsigned)time(NULL) );
137#ifndef OMITGOOD
138 printLine("Calling good()...");
139 CWE127_Buffer_Underread__char_declare_ncpy_08_good();
140 printLine("Finished good()");
141#endif /* OMITGOOD */
142#ifndef OMITBAD
143 printLine("Calling bad()...");
144 CWE127_Buffer_Underread__char_declare_ncpy_08_bad();
145 printLine("Finished bad()");
146#endif /* OMITBAD */
147 return 0;
148}
149
150#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8929: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_memcpy_33.cpp

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_memcpy_33.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193.label.xml
4Template File: sources-sink-33.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 * GoodSource: Allocate enough memory for a string and the NULL terminator
11 * Sinks: memcpy
12 * BadSink : Copy string to data using memcpy()
13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING L"AAAAAAAAAA"
25
26namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_memcpy_33
27{
28
29#ifndef OMITBAD
30
31void bad()
32{
33 wchar_t * data;
34 wchar_t * &dataRef = data;
35 data = NULL;
36 /* FLAW: Did not leave space for a null terminator */
37 data = new wchar_t[10];
38 {
39 wchar_t * data = dataRef;
40 {
41 wchar_t source[10+1] = SRC_STRING;
42 /* Copy length + 1 to include NUL terminator from source */
43 /* POTENTIAL FLAW: data may not have enough space to hold source */
44 memcpy(data, source, (wcslen(source) + 1) * sizeof(wchar_t));❗VULN
45 printWLine(data);
46 delete [] data;
47 }
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B() uses the GoodSource with the BadSink */
56static void goodG2B()
57{
58 wchar_t * data;
59 wchar_t * &dataRef = data;
60 data = NULL;
61 /* FIX: Allocate space for a null terminator */
62 data = new wchar_t[10+1];
63 {
64 wchar_t * data = dataRef;
65 {
66 wchar_t source[10+1] = SRC_STRING;
67 /* Copy length + 1 to include NUL terminator from source */
68 /* POTENTIAL FLAW: data may not have enough space to hold source */
69 memcpy(data, source, (wcslen(source) + 1) * sizeof(wchar_t));
70 printWLine(data);
71 delete [] data;
72 }
73 }
74}
75
76void good()
77{
78 goodG2B();
79}
80
81#endif /* OMITGOOD */
82
83} /* close namespace */
84
85/* Below is the main(). It is only used when building this testcase on
86 its own for testing or for building a binary to use in testing binary
87 analysis tools. It is not used when compiling all the testcases as one
88 application, which is how source code analysis tools are tested. */
89#ifdef INCLUDEMAIN
90
91using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_memcpy_33; /* so that we can use good and bad easily */
92
93int main(int argc, char * argv[])
94{
95 /* seed randomness */
96 srand( (unsigned)time(NULL) );
97#ifndef OMITGOOD
98 printLine("Calling good()...");
99 good();
100 printLine("Finished good()");
101#endif /* OMITGOOD */
102#ifndef OMITBAD
103 printLine("Calling bad()...");
104 bad();
105 printLine("Finished bad()");
106#endif /* OMITBAD */
107 return 0;
108}
109
110#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1551: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncat_17.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncat_17.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-17.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: ncat
12 * BadSink : Copy string to data using wcsncat
13 * Flow Variant: 17 Control flow: for loops
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncat_17_bad()
24{
25 int i;
26 wchar_t * data;
27 wchar_t dataBadBuffer[50];
28 wchar_t dataGoodBuffer[100];
29 for(i = 0; i < 1; i++)
30 {
31 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
32 * buffer in various memory copying functions using a "large" source buffer. */
33 data = dataBadBuffer;
34 data[0] = L'\0'; /* null terminate */
35 }
36 {
37 wchar_t source[100];
38 wmemset(source, L'C', 100-1); /* fill with L'C's */
39 source[100-1] = L'\0'; /* null terminate */
40 /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */
41 wcsncat(data, source, 100);❗VULN
42 printWLine(data);
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */
51static void goodG2B()
52{
53 int h;
54 wchar_t * data;
55 wchar_t dataBadBuffer[50];
56 wchar_t dataGoodBuffer[100];
57 for(h = 0; h < 1; h++)
58 {
59 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
60 data = dataGoodBuffer;
61 data[0] = L'\0'; /* null terminate */
62 }
63 {
64 wchar_t source[100];
65 wmemset(source, L'C', 100-1); /* fill with L'C's */
66 source[100-1] = L'\0'; /* null terminate */
67 /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */
68 wcsncat(data, source, 100);
69 printWLine(data);
70 }
71}
72
73void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncat_17_good()
74{
75 goodG2B();
76}
77
78#endif /* OMITGOOD */
79
80/* Below is the main(). It is only used when building this testcase on
81 * its own for testing or for building a binary to use in testing binary
82 * analysis tools. It is not used when compiling all the testcases as one
83 * application, which is how source code analysis tools are tested.
84 */
85
86#ifdef INCLUDEMAIN
87
88int main(int argc, char * argv[])
89{
90 /* seed randomness */
91 srand( (unsigned)time(NULL) );
92#ifndef OMITGOOD
93 printLine("Calling good()...");
94 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncat_17_good();
95 printLine("Finished good()");
96#endif /* OMITGOOD */
97#ifndef OMITBAD
98 printLine("Calling bad()...");
99 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_ncat_17_bad();
100 printLine("Finished bad()");
101#endif /* OMITBAD */
102 return 0;
103}
104
105#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3002: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memcpy_34.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memcpy_34.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml
4Template File: sources-sink-34.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sinks: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21typedef union
22{
23 wchar_t * unionFirst;
24 wchar_t * unionSecond;
25} CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memcpy_34_unionType;
26
27#ifndef OMITBAD
28
29void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memcpy_34_bad()
30{
31 wchar_t * data;
32 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memcpy_34_unionType myUnion;
33 wchar_t dataBuffer[100];
34 data = dataBuffer;
35 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
36 wmemset(data, L'A', 100-1); /* fill with L'A's */
37 data[100-1] = L'\0'; /* null terminate */
38 myUnion.unionFirst = data;
39 {
40 wchar_t * data = myUnion.unionSecond;
41 {
42 wchar_t dest[50] = L"";
43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
44 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));❗VULN
45 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
46 printWLine(data);
47 }
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B() uses the GoodSource with the BadSink */
56static void goodG2B()
57{
58 wchar_t * data;
59 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memcpy_34_unionType myUnion;
60 wchar_t dataBuffer[100];
61 data = dataBuffer;
62 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
63 wmemset(data, L'A', 50-1); /* fill with L'A's */
64 data[50-1] = L'\0'; /* null terminate */
65 myUnion.unionFirst = data;
66 {
67 wchar_t * data = myUnion.unionSecond;
68 {
69 wchar_t dest[50] = L"";
70 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
71 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));
72 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
73 printWLine(data);
74 }
75 }
76}
77
78void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memcpy_34_good()
79{
80 goodG2B();
81}
82
83#endif /* OMITGOOD */
84
85/* Below is the main(). It is only used when building this testcase on
86 * its own for testing or for building a binary to use in testing binary
87 * analysis tools. It is not used when compiling all the testcases as one
88 * application, which is how source code analysis tools are tested.
89 */
90#ifdef INCLUDEMAIN
91
92int main(int argc, char * argv[])
93{
94 /* seed randomness */
95 srand( (unsigned)time(NULL) );
96#ifndef OMITGOOD
97 printLine("Calling good()...");
98 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memcpy_34_good();
99 printLine("Finished good()");
100#endif /* OMITGOOD */
101#ifndef OMITBAD
102 printLine("Calling bad()...");
103 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memcpy_34_bad();
104 printLine("Finished bad()");
105#endif /* OMITBAD */
106 return 0;
107}
108
109#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1481: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_memcpy_09.cpp

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_memcpy_09.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml
4Template File: sources-sink-09.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_memcpy_09
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 char * data;
29 data = new char[100];
30 if(GLOBAL_CONST_TRUE)
31 {
32 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
33 memset(data, 'A', 100-1); /* fill with 'A's */
34 data[100-1] = '\0'; /* null terminate */
35 }
36 {
37 char dest[50] = "";
38 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
39 memcpy(dest, data, strlen(data)*sizeof(char));❗VULN
40 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
41 printLine(data);
42 delete [] data;
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */
51static void goodG2B1()
52{
53 char * data;
54 data = new char[100];
55 if(GLOBAL_CONST_FALSE)
56 {
57 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
58 printLine("Benign, fixed string");
59 }
60 else
61 {
62 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
63 memset(data, 'A', 50-1); /* fill with 'A's */
64 data[50-1] = '\0'; /* null terminate */
65 }
66 {
67 char dest[50] = "";
68 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
69 memcpy(dest, data, strlen(data)*sizeof(char));
70 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
71 printLine(data);
72 delete [] data;
73 }
74}
75
76/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
77static void goodG2B2()
78{
79 char * data;
80 data = new char[100];
81 if(GLOBAL_CONST_TRUE)
82 {
83 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
84 memset(data, 'A', 50-1); /* fill with 'A's */
85 data[50-1] = '\0'; /* null terminate */
86 }
87 {
88 char dest[50] = "";
89 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
90 memcpy(dest, data, strlen(data)*sizeof(char));
91 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
92 printLine(data);
93 delete [] data;
94 }
95}
96
97void good()
98{
99 goodG2B1();
100 goodG2B2();
101}
102
103#endif /* OMITGOOD */
104
105} /* close namespace */
106
107/* Below is the main(). It is only used when building this testcase on
108 its own for testing or for building a binary to use in testing binary
109 analysis tools. It is not used when compiling all the testcases as one
110 application, which is how source code analysis tools are tested. */
111
112#ifdef INCLUDEMAIN
113
114using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_memcpy_09; /* so that we can use good and bad easily */
115
116int main(int argc, char * argv[])
117{
118 /* seed randomness */
119 srand( (unsigned)time(NULL) );
120#ifndef OMITGOOD
121 printLine("Calling good()...");
122 good();
123 printLine("Finished good()");
124#endif /* OMITGOOD */
125#ifndef OMITBAD
126 printLine("Calling bad()...");
127 bad();
128 printLine("Finished bad()");
129#endif /* OMITBAD */
130 return 0;
131}
132
133#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3533: CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_10.c

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_10.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml
4Template File: sources-sink-10.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Point data to a buffer that does not have space for a NULL terminator
10 * GoodSource: Point data to a buffer that includes space for a NULL terminator
11 * Sink: ncpy
12 * BadSink : Copy string to data using strncpy()
13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING "AAAAAAAAAA"
25
26#ifndef OMITBAD
27
28void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_10_bad()
29{
30 char * data;
31 char dataBadBuffer[10];
32 char dataGoodBuffer[10+1];
33 if(globalTrue)
34 {
35 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing
36 * string copies in the sinks */
37 data = dataBadBuffer;
38 data[0] = '\0'; /* null terminate */
39 }
40 {
41 char source[10+1] = SRC_STRING;
42 /* Copy length + 1 to include NUL terminator from source */
43 /* POTENTIAL FLAW: data may not have enough space to hold source */
44 strncpy(data, source, strlen(source) + 1);❗VULN
45 printLine(data);
46 }
47}
48
49#endif /* OMITBAD */
50
51#ifndef OMITGOOD
52
53/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */
54static void goodG2B1()
55{
56 char * data;
57 char dataBadBuffer[10];
58 char dataGoodBuffer[10+1];
59 if(globalFalse)
60 {
61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
62 printLine("Benign, fixed string");
63 }
64 else
65 {
66 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
67 * string copies in the sinks */
68 data = dataGoodBuffer;
69 data[0] = '\0'; /* null terminate */
70 }
71 {
72 char source[10+1] = SRC_STRING;
73 /* Copy length + 1 to include NUL terminator from source */
74 /* POTENTIAL FLAW: data may not have enough space to hold source */
75 strncpy(data, source, strlen(source) + 1);
76 printLine(data);
77 }
78}
79
80/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
81static void goodG2B2()
82{
83 char * data;
84 char dataBadBuffer[10];
85 char dataGoodBuffer[10+1];
86 if(globalTrue)
87 {
88 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
89 * string copies in the sinks */
90 data = dataGoodBuffer;
91 data[0] = '\0'; /* null terminate */
92 }
93 {
94 char source[10+1] = SRC_STRING;
95 /* Copy length + 1 to include NUL terminator from source */
96 /* POTENTIAL FLAW: data may not have enough space to hold source */
97 strncpy(data, source, strlen(source) + 1);
98 printLine(data);
99 }
100}
101
102void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_10_good()
103{
104 goodG2B1();
105 goodG2B2();
106}
107
108#endif /* OMITGOOD */
109
110/* Below is the main(). It is only used when building this testcase on
111 * its own for testing or for building a binary to use in testing binary
112 * analysis tools. It is not used when compiling all the testcases as one
113 * application, which is how source code analysis tools are tested.
114 */
115
116#ifdef INCLUDEMAIN
117
118int main(int argc, char * argv[])
119{
120 /* seed randomness */
121 srand( (unsigned)time(NULL) );
122#ifndef OMITGOOD
123 printLine("Calling good()...");
124 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_10_good();
125 printLine("Finished good()");
126#endif /* OMITGOOD */
127#ifndef OMITBAD
128 printLine("Calling bad()...");
129 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_10_bad();
130 printLine("Finished bad()");
131#endif /* OMITBAD */
132 return 0;
133}
134
135#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8202: CWE127_Buffer_Underread__char_declare_ncpy_16.c

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__char_declare_ncpy_16.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-16.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: ncpy
12 * BadSink : Copy data to string using strncpy
13 * Flow Variant: 16 Control flow: while(1)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__char_declare_ncpy_16_bad()
24{
25 char * data;
26 char dataBuffer[100];
27 memset(dataBuffer, 'A', 100-1);
28 dataBuffer[100-1] = '\0';
29 while(1)
30 {
31 /* FLAW: Set data pointer to before the allocated memory buffer */
32 data = dataBuffer - 8;
33 break;
34 }
35 {
36 char dest[100];
37 memset(dest, 'C', 100-1); /* fill with 'C's */
38 dest[100-1] = '\0'; /* null terminate */
39 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
40 strncpy(dest, data, strlen(dest));❗VULN
41 /* Ensure null termination */
42 dest[100-1] = '\0';
43 printLine(dest);
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */
52static void goodG2B()
53{
54 char * data;
55 char dataBuffer[100];
56 memset(dataBuffer, 'A', 100-1);
57 dataBuffer[100-1] = '\0';
58 while(1)
59 {
60 /* FIX: Set data pointer to the allocated memory buffer */
61 data = dataBuffer;
62 break;
63 }
64 {
65 char dest[100];
66 memset(dest, 'C', 100-1); /* fill with 'C's */
67 dest[100-1] = '\0'; /* null terminate */
68 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
69 strncpy(dest, data, strlen(dest));
70 /* Ensure null termination */
71 dest[100-1] = '\0';
72 printLine(dest);
73 }
74}
75
76void CWE127_Buffer_Underread__char_declare_ncpy_16_good()
77{
78 goodG2B();
79}
80
81#endif /* OMITGOOD */
82
83/* Below is the main(). It is only used when building this testcase on
84 * its own for testing or for building a binary to use in testing binary
85 * analysis tools. It is not used when compiling all the testcases as one
86 * application, which is how source code analysis tools are tested.
87 */
88
89#ifdef INCLUDEMAIN
90
91int main(int argc, char * argv[])
92{
93 /* seed randomness */
94 srand( (unsigned)time(NULL) );
95#ifndef OMITGOOD
96 printLine("Calling good()...");
97 CWE127_Buffer_Underread__char_declare_ncpy_16_good();
98 printLine("Finished good()");
99#endif /* OMITGOOD */
100#ifndef OMITBAD
101 printLine("Calling bad()...");
102 CWE127_Buffer_Underread__char_declare_ncpy_16_bad();
103 printLine("Finished bad()");
104#endif /* OMITBAD */
105 return 0;
106}
107
108#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8668: CWE127_Buffer_Underread__char_declare_cpy_10.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__char_declare_cpy_10.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-10.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: cpy
12 * BadSink : Copy data to string using strcpy
13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__char_declare_cpy_10_bad()
24{
25 char * data;
26 char dataBuffer[100];
27 memset(dataBuffer, 'A', 100-1);
28 dataBuffer[100-1] = '\0';
29 if(globalTrue)
30 {
31 /* FLAW: Set data pointer to before the allocated memory buffer */
32 data = dataBuffer - 8;
33 }
34 {
35 char dest[100*2];
36 memset(dest, 'C', 100*2-1); /* fill with 'C's */
37 dest[100*2-1] = '\0'; /* null terminate */
38 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
39 strcpy(dest, data);❗VULN
40 printLine(dest);
41 }
42}
43
44#endif /* OMITBAD */
45
46#ifndef OMITGOOD
47
48/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */
49static void goodG2B1()
50{
51 char * data;
52 char dataBuffer[100];
53 memset(dataBuffer, 'A', 100-1);
54 dataBuffer[100-1] = '\0';
55 if(globalFalse)
56 {
57 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
58 printLine("Benign, fixed string");
59 }
60 else
61 {
62 /* FIX: Set data pointer to the allocated memory buffer */
63 data = dataBuffer;
64 }
65 {
66 char dest[100*2];
67 memset(dest, 'C', 100*2-1); /* fill with 'C's */
68 dest[100*2-1] = '\0'; /* null terminate */
69 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
70 strcpy(dest, data);
71 printLine(dest);
72 }
73}
74
75/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
76static void goodG2B2()
77{
78 char * data;
79 char dataBuffer[100];
80 memset(dataBuffer, 'A', 100-1);
81 dataBuffer[100-1] = '\0';
82 if(globalTrue)
83 {
84 /* FIX: Set data pointer to the allocated memory buffer */
85 data = dataBuffer;
86 }
87 {
88 char dest[100*2];
89 memset(dest, 'C', 100*2-1); /* fill with 'C's */
90 dest[100*2-1] = '\0'; /* null terminate */
91 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
92 strcpy(dest, data);
93 printLine(dest);
94 }
95}
96
97void CWE127_Buffer_Underread__char_declare_cpy_10_good()
98{
99 goodG2B1();
100 goodG2B2();
101}
102
103#endif /* OMITGOOD */
104
105/* Below is the main(). It is only used when building this testcase on
106 * its own for testing or for building a binary to use in testing binary
107 * analysis tools. It is not used when compiling all the testcases as one
108 * application, which is how source code analysis tools are tested.
109 */
110
111#ifdef INCLUDEMAIN
112
113int main(int argc, char * argv[])
114{
115 /* seed randomness */
116 srand( (unsigned)time(NULL) );
117#ifndef OMITGOOD
118 printLine("Calling good()...");
119 CWE127_Buffer_Underread__char_declare_cpy_10_good();
120 printLine("Finished good()");
121#endif /* OMITGOOD */
122#ifndef OMITBAD
123 printLine("Calling bad()...");
124 CWE127_Buffer_Underread__char_declare_cpy_10_bad();
125 printLine("Finished bad()");
126#endif /* OMITBAD */
127 return 0;
128}
129
130#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1596: CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_07.c

Nodes: 9 | Sink Nodes: 7 predicted, 2 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_07.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__sizeof.label.xml
4Template File: sources-sink-07.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize the source buffer using the size of a pointer
10 * GoodSource: Initialize the source buffer using the size of the DataElementType
11 * Sink:
12 * BadSink : Print then free data
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19/* The variable below is not declared "const", but is never assigned
20 * any other value so a tool should be able to identify that reads of
21 * this will always give its initialized value.
22 */
23static int staticFive = 5;
24
25#ifndef OMITBAD
26
27void CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_07_bad()
28{
29 int64_t * data;
30 /* Initialize data */
31 data = NULL;
32 if(staticFive==5)
33 {
34 /* INCIDENTAL: CWE-467 (Use of sizeof() on a pointer type) */
35 /* FLAW: Using sizeof the pointer and not the data type in malloc() */
36 data = (int64_t *)malloc(sizeof(data));
37 if (data == NULL) {exit(-1);}
38 *data = 2147483643LL;❗VULN
39 }
40 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */
41 printLongLongLine(*data);❗VULN
42 free(data);
43}
44
45#endif /* OMITBAD */
46
47#ifndef OMITGOOD
48
49/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
50static void goodG2B1()
51{
52 int64_t * data;
53 /* Initialize data */
54 data = NULL;
55 if(staticFive!=5)
56 {
57 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
58 printLine("Benign, fixed string");
59 }
60 else
61 {
62 /* FIX: Using sizeof the data type in malloc() */
63 data = (int64_t *)malloc(sizeof(*data));
64 if (data == NULL) {exit(-1);}
65 *data = 2147483643LL;
66 }
67 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */
68 printLongLongLine(*data);
69 free(data);
70}
71
72/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
73static void goodG2B2()
74{
75 int64_t * data;
76 /* Initialize data */
77 data = NULL;
78 if(staticFive==5)
79 {
80 /* FIX: Using sizeof the data type in malloc() */
81 data = (int64_t *)malloc(sizeof(*data));
82 if (data == NULL) {exit(-1);}
83 *data = 2147483643LL;
84 }
85 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */
86 printLongLongLine(*data);
87 free(data);
88}
89
90void CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_07_good()
91{
92 goodG2B1();
93 goodG2B2();
94}
95
96#endif /* OMITGOOD */
97
98/* Below is the main(). It is only used when building this testcase on
99 * its own for testing or for building a binary to use in testing binary
100 * analysis tools. It is not used when compiling all the testcases as one
101 * application, which is how source code analysis tools are tested.
102 */
103
104#ifdef INCLUDEMAIN
105
106int main(int argc, char * argv[])
107{
108 /* seed randomness */
109 srand( (unsigned)time(NULL) );
110#ifndef OMITGOOD
111 printLine("Calling good()...");
112 CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_07_good();
113 printLine("Finished good()");
114#endif /* OMITGOOD */
115#ifndef OMITBAD
116 printLine("Calling bad()...");
117 CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_07_bad();
118 printLine("Finished bad()");
119#endif /* OMITBAD */
120 return 0;
121}
122
123#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4400: CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_12.c

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_12.c
3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml
4Template File: sources-sink-12.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memcpy
12 * BadSink : Copy string to data using memcpy
13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_12_bad()
24{
25 wchar_t * data;
26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
27 wmemset(dataBuffer, L'A', 100-1);
28 dataBuffer[100-1] = L'\0';
29 if(globalReturnsTrueOrFalse())
30 {
31 /* FLAW: Set data pointer to before the allocated memory buffer */
32 data = dataBuffer - 8;
33 }
34 else
35 {
36 /* FIX: Set data pointer to the allocated memory buffer */
37 data = dataBuffer;
38 }
39 {
40 wchar_t source[100];
41 wmemset(source, L'C', 100-1); /* fill with 'C's */
42 source[100-1] = L'\0'; /* null terminate */
43 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
44 memcpy(data, source, 100*sizeof(wchar_t));❗VULN
45 /* Ensure the destination buffer is null terminated */
46 data[100-1] = L'\0';
47 printWLine(data);
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B() - use goodsource and badsink by changing the "if" so that
56 * both branches use the GoodSource */
57static void goodG2B()
58{
59 wchar_t * data;
60 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
61 wmemset(dataBuffer, L'A', 100-1);
62 dataBuffer[100-1] = L'\0';
63 if(globalReturnsTrueOrFalse())
64 {
65 /* FIX: Set data pointer to the allocated memory buffer */
66 data = dataBuffer;
67 }
68 else
69 {
70 /* FIX: Set data pointer to the allocated memory buffer */
71 data = dataBuffer;
72 }
73 {
74 wchar_t source[100];
75 wmemset(source, L'C', 100-1); /* fill with 'C's */
76 source[100-1] = L'\0'; /* null terminate */
77 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
78 memcpy(data, source, 100*sizeof(wchar_t));
79 /* Ensure the destination buffer is null terminated */
80 data[100-1] = L'\0';
81 printWLine(data);
82 }
83}
84
85void CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_12_good()
86{
87 goodG2B();
88}
89
90#endif /* OMITGOOD */
91
92/* Below is the main(). It is only used when building this testcase on
93 * its own for testing or for building a binary to use in testing binary
94 * analysis tools. It is not used when compiling all the testcases as one
95 * application, which is how source code analysis tools are tested.
96 */
97
98#ifdef INCLUDEMAIN
99
100int main(int argc, char * argv[])
101{
102 /* seed randomness */
103 srand( (unsigned)time(NULL) );
104#ifndef OMITGOOD
105 printLine("Calling good()...");
106 CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_12_good();
107 printLine("Finished good()");
108#endif /* OMITGOOD */
109#ifndef OMITBAD
110 printLine("Calling bad()...");
111 CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_12_bad();
112 printLine("Finished bad()");
113#endif /* OMITBAD */
114 return 0;
115}
116
117#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2431: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncat_15.c

Nodes: 17 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncat_15.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml
4Template File: sources-sink-15.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: ncat
12 * BadSink : Copy data to string using wcsncat
13 * Flow Variant: 15 Control flow: switch(6)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncat_15_bad()
24{
25 wchar_t * data;
26 data = (wchar_t *)malloc(100*sizeof(wchar_t));
27 if (data == NULL) {exit(-1);}
28 switch(6)
29 {
30 case 6:
31 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
32 wmemset(data, L'A', 100-1); /* fill with L'A's */
33 data[100-1] = L'\0'; /* null terminate */
34 break;
35 default:
36 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
37 printLine("Benign, fixed string");
38 break;
39 }
40 {
41 wchar_t dest[50] = L"";
42 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-wcslen(dest)*/
43 wcsncat(dest, data, wcslen(data));❗VULN
44 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
45 printWLine(data);
46 free(data);
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* goodG2B1() - use goodsource and badsink by changing the switch to switch(5) */
55static void goodG2B1()
56{
57 wchar_t * data;
58 data = (wchar_t *)malloc(100*sizeof(wchar_t));
59 if (data == NULL) {exit(-1);}
60 switch(5)
61 {
62 case 6:
63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
64 printLine("Benign, fixed string");
65 break;
66 default:
67 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
68 wmemset(data, L'A', 50-1); /* fill with L'A's */
69 data[50-1] = L'\0'; /* null terminate */
70 break;
71 }
72 {
73 wchar_t dest[50] = L"";
74 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-wcslen(dest)*/
75 wcsncat(dest, data, wcslen(data));
76 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
77 printWLine(data);
78 free(data);
79 }
80}
81
82/* goodG2B2() - use goodsource and badsink by reversing the blocks in the switch */
83static void goodG2B2()
84{
85 wchar_t * data;
86 data = (wchar_t *)malloc(100*sizeof(wchar_t));
87 if (data == NULL) {exit(-1);}
88 switch(6)
89 {
90 case 6:
91 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
92 wmemset(data, L'A', 50-1); /* fill with L'A's */
93 data[50-1] = L'\0'; /* null terminate */
94 break;
95 default:
96 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
97 printLine("Benign, fixed string");
98 break;
99 }
100 {
101 wchar_t dest[50] = L"";
102 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-wcslen(dest)*/
103 wcsncat(dest, data, wcslen(data));
104 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
105 printWLine(data);
106 free(data);
107 }
108}
109
110void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncat_15_good()
111{
112 goodG2B1();
113 goodG2B2();
114}
115
116#endif /* OMITGOOD */
117
118/* Below is the main(). It is only used when building this testcase on
119 * its own for testing or for building a binary to use in testing binary
120 * analysis tools. It is not used when compiling all the testcases as one
121 * application, which is how source code analysis tools are tested.
122 */
123
124#ifdef INCLUDEMAIN
125
126int main(int argc, char * argv[])
127{
128 /* seed randomness */
129 srand( (unsigned)time(NULL) );
130#ifndef OMITGOOD
131 printLine("Calling good()...");
132 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncat_15_good();
133 printLine("Finished good()");
134#endif /* OMITGOOD */
135#ifndef OMITBAD
136 printLine("Calling bad()...");
137 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncat_15_bad();
138 printLine("Finished bad()");
139#endif /* OMITBAD */
140 return 0;
141}
142
143#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8582: CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_05.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_05.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-05.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: loop
12 * BadSink : Copy int64_t array to data using a loop
13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19/* The two variables below are not defined as "const", but are never
20 * assigned any other value, so a tool should be able to identify that
21 * reads of these will always return their initialized values.
22 */
23static int staticTrue = 1; /* true */
24static int staticFalse = 0; /* false */
25
26#ifndef OMITBAD
27
28void CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_05_bad()
29{
30 int64_t * data;
31 int64_t dataBadBuffer[50];
32 int64_t dataGoodBuffer[100];
33 if(staticTrue)
34 {
35 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
36 * buffer in various memory copying functions using a "large" source buffer. */
37 data = dataBadBuffer;
38 }
39 {
40 int64_t source[100] = {0}; /* fill with 0's */
41 {
42 size_t i;
43 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
44 for (i = 0; i < 100; i++)
45 {
46 data[i] = source[i];❗VULN
47 }
48 printLongLongLine(data[0]);
49 }
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */
58static void goodG2B1()
59{
60 int64_t * data;
61 int64_t dataBadBuffer[50];
62 int64_t dataGoodBuffer[100];
63 if(staticFalse)
64 {
65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
66 printLine("Benign, fixed string");
67 }
68 else
69 {
70 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
71 data = dataGoodBuffer;
72 }
73 {
74 int64_t source[100] = {0}; /* fill with 0's */
75 {
76 size_t i;
77 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
78 for (i = 0; i < 100; i++)
79 {
80 data[i] = source[i];
81 }
82 printLongLongLine(data[0]);
83 }
84 }
85}
86
87/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
88static void goodG2B2()
89{
90 int64_t * data;
91 int64_t dataBadBuffer[50];
92 int64_t dataGoodBuffer[100];
93 if(staticTrue)
94 {
95 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
96 data = dataGoodBuffer;
97 }
98 {
99 int64_t source[100] = {0}; /* fill with 0's */
100 {
101 size_t i;
102 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
103 for (i = 0; i < 100; i++)
104 {
105 data[i] = source[i];
106 }
107 printLongLongLine(data[0]);
108 }
109 }
110}
111
112void CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_05_good()
113{
114 goodG2B1();
115 goodG2B2();
116}
117
118#endif /* OMITGOOD */
119
120/* Below is the main(). It is only used when building this testcase on
121 * its own for testing or for building a binary to use in testing binary
122 * analysis tools. It is not used when compiling all the testcases as one
123 * application, which is how source code analysis tools are tested.
124 */
125
126#ifdef INCLUDEMAIN
127
128int main(int argc, char * argv[])
129{
130 /* seed randomness */
131 srand( (unsigned)time(NULL) );
132#ifndef OMITGOOD
133 printLine("Calling good()...");
134 CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_05_good();
135 printLine("Finished good()");
136#endif /* OMITGOOD */
137#ifndef OMITBAD
138 printLine("Calling bad()...");
139 CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_05_bad();
140 printLine("Finished bad()");
141#endif /* OMITBAD */
142 return 0;
143}
144
145#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9544: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_14.c

Nodes: 8 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_14.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-14.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: memcpy
12 * BadSink : Copy int array to data using memcpy
13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_14_bad()
22{
23 int * data;
24 int dataBadBuffer[50];
25 int dataGoodBuffer[100];
26 if(globalFive==5)
27 {
28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
29 * buffer in various memory copying functions using a "large" source buffer. */
30 data = dataBadBuffer;
31 }
32 {
33 int source[100] = {0}; /* fill with 0's */
34 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
35 memcpy(data, source, 100*sizeof(int));❗VULN
36 printIntLine(data[0]);
37 }
38}
39
40#endif /* OMITBAD */
41
42#ifndef OMITGOOD
43
44/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */
45static void goodG2B1()
46{
47 int * data;
48 int dataBadBuffer[50];
49 int dataGoodBuffer[100];
50 if(globalFive!=5)
51 {
52 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
53 printLine("Benign, fixed string");
54 }
55 else
56 {
57 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
58 data = dataGoodBuffer;
59 }
60 {
61 int source[100] = {0}; /* fill with 0's */
62 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
63 memcpy(data, source, 100*sizeof(int));
64 printIntLine(data[0]);
65 }
66}
67
68/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
69static void goodG2B2()
70{
71 int * data;
72 int dataBadBuffer[50];
73 int dataGoodBuffer[100];
74 if(globalFive==5)
75 {
76 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
77 data = dataGoodBuffer;
78 }
79 {
80 int source[100] = {0}; /* fill with 0's */
81 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
82 memcpy(data, source, 100*sizeof(int));
83 printIntLine(data[0]);
84 }
85}
86
87void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_14_good()
88{
89 goodG2B1();
90 goodG2B2();
91}
92
93#endif /* OMITGOOD */
94
95/* Below is the main(). It is only used when building this testcase on
96 * its own for testing or for building a binary to use in testing binary
97 * analysis tools. It is not used when compiling all the testcases as one
98 * application, which is how source code analysis tools are tested.
99 */
100
101#ifdef INCLUDEMAIN
102
103int main(int argc, char * argv[])
104{
105 /* seed randomness */
106 srand( (unsigned)time(NULL) );
107#ifndef OMITGOOD
108 printLine("Calling good()...");
109 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_14_good();
110 printLine("Finished good()");
111#endif /* OMITGOOD */
112#ifndef OMITBAD
113 printLine("Calling bad()...");
114 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_memcpy_14_bad();
115 printLine("Finished bad()");
116#endif /* OMITBAD */
117 return 0;
118}
119
120#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8136: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_loop_02.cpp

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_loop_02.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml
4Template File: sources-sink-02.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: loop
12 * BadSink : Copy string to data using a loop
13 * Flow Variant: 02 Control flow: if(1) and if(0)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_loop_02
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 wchar_t * data;
29 data = NULL;
30 if(1)
31 {
32 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
33 data = new wchar_t[50];
34 data[0] = L'\0'; /* null terminate */
35 }
36 {
37 size_t i;
38 wchar_t source[100];
39 wmemset(source, L'C', 100-1); /* fill with L'C's */
40 source[100-1] = L'\0'; /* null terminate */
41 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
42 for (i = 0; i < 100; i++)
43 {
44 data[i] = source[i];❗VULN
45 }
46 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
47 printWLine(data);
48 delete [] data;
49 }
50}
51
52#endif /* OMITBAD */
53
54#ifndef OMITGOOD
55
56/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */
57static void goodG2B1()
58{
59 wchar_t * data;
60 data = NULL;
61 if(0)
62 {
63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
64 printLine("Benign, fixed string");
65 }
66 else
67 {
68 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
69 data = new wchar_t[100];
70 data[0] = L'\0'; /* null terminate */
71 }
72 {
73 size_t i;
74 wchar_t source[100];
75 wmemset(source, L'C', 100-1); /* fill with L'C's */
76 source[100-1] = L'\0'; /* null terminate */
77 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
78 for (i = 0; i < 100; i++)
79 {
80 data[i] = source[i];
81 }
82 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
83 printWLine(data);
84 delete [] data;
85 }
86}
87
88/* goodG2B2() - use goodsource and badsink by reversing the statements in the if */
89static void goodG2B2()
90{
91 wchar_t * data;
92 data = NULL;
93 if(1)
94 {
95 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
96 data = new wchar_t[100];
97 data[0] = L'\0'; /* null terminate */
98 }
99 {
100 size_t i;
101 wchar_t source[100];
102 wmemset(source, L'C', 100-1); /* fill with L'C's */
103 source[100-1] = L'\0'; /* null terminate */
104 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
105 for (i = 0; i < 100; i++)
106 {
107 data[i] = source[i];
108 }
109 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
110 printWLine(data);
111 delete [] data;
112 }
113}
114
115void good()
116{
117 goodG2B1();
118 goodG2B2();
119}
120
121#endif /* OMITGOOD */
122
123} /* close namespace */
124
125/* Below is the main(). It is only used when building this testcase on
126 its own for testing or for building a binary to use in testing binary
127 analysis tools. It is not used when compiling all the testcases as one
128 application, which is how source code analysis tools are tested. */
129
130#ifdef INCLUDEMAIN
131
132using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_loop_02; /* so that we can use good and bad easily */
133
134int main(int argc, char * argv[])
135{
136 /* seed randomness */
137 srand( (unsigned)time(NULL) );
138#ifndef OMITGOOD
139 printLine("Calling good()...");
140 good();
141 printLine("Finished good()");
142#endif /* OMITGOOD */
143#ifndef OMITBAD
144 printLine("Calling bad()...");
145 bad();
146 printLine("Finished bad()");
147#endif /* OMITBAD */
148 return 0;
149}
150
151#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2167: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_loop_42.c

Nodes: 17 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_loop_42.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4Template File: sources-sink-42.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sink: loop
12 * BadSink : Copy twoIntsStruct array to data using a loop
13 * Flow Variant: 42 Data flow: data returned from one function to another in the same source file
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21static twoIntsStruct * badSource(twoIntsStruct * data)
22{
23 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
24 data = (twoIntsStruct *)malloc(50*sizeof(twoIntsStruct));
25 if (data == NULL) {exit(-1);}
26 return data;
27}
28
29void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_loop_42_bad()
30{
31 twoIntsStruct * data;
32 data = NULL;
33 data = badSource(data);
34 {
35 twoIntsStruct source[100];
36 {
37 size_t i;
38 /* Initialize array */
39 for (i = 0; i < 100; i++)
40 {
41 source[i].intOne = 0;
42 source[i].intTwo = 0;
43 }
44 }
45 {
46 size_t i;
47 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
48 for (i = 0; i < 100; i++)
49 {
50 data[i] = source[i];❗VULN
51 }
52 printStructLine(&data[0]);
53 free(data);
54 }
55 }
56}
57
58#endif /* OMITBAD */
59
60#ifndef OMITGOOD
61
62static twoIntsStruct * goodG2BSource(twoIntsStruct * data)
63{
64 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
65 data = (twoIntsStruct *)malloc(100*sizeof(twoIntsStruct));
66 if (data == NULL) {exit(-1);}
67 return data;
68}
69
70/* goodG2B uses the GoodSource with the BadSink */
71static void goodG2B()
72{
73 twoIntsStruct * data;
74 data = NULL;
75 data = goodG2BSource(data);
76 {
77 twoIntsStruct source[100];
78 {
79 size_t i;
80 /* Initialize array */
81 for (i = 0; i < 100; i++)
82 {
83 source[i].intOne = 0;
84 source[i].intTwo = 0;
85 }
86 }
87 {
88 size_t i;
89 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
90 for (i = 0; i < 100; i++)
91 {
92 data[i] = source[i];
93 }
94 printStructLine(&data[0]);
95 free(data);
96 }
97 }
98}
99
100void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_loop_42_good()
101{
102 goodG2B();
103}
104
105#endif /* OMITGOOD */
106
107/* Below is the main(). It is only used when building this testcase on
108 * its own for testing or for building a binary to use in testing binary
109 * analysis tools. It is not used when compiling all the testcases as one
110 * application, which is how source code analysis tools are tested.
111 */
112
113#ifdef INCLUDEMAIN
114
115int main(int argc, char * argv[])
116{
117 /* seed randomness */
118 srand( (unsigned)time(NULL) );
119#ifndef OMITGOOD
120 printLine("Calling good()...");
121 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_loop_42_good();
122 printLine("Finished good()");
123#endif /* OMITGOOD */
124#ifndef OMITBAD
125 printLine("Calling bad()...");
126 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_loop_42_bad();
127 printLine("Finished bad()");
128#endif /* OMITBAD */
129 return 0;
130}
131
132#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 49: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_loop_05.cpp

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_loop_05.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml
4Template File: sources-sink-05.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: loop
12 * BadSink : Copy string to data using a loop
13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are not defined as "const", but are never
22 assigned any other value, so a tool should be able to identify that
23 reads of these will always return their initialized values. */
24static int staticTrue = 1; /* true */
25static int staticFalse = 0; /* false */
26
27namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_loop_05
28{
29
30#ifndef OMITBAD
31
32void bad()
33{
34 char * data;
35 data = NULL;
36 if(staticTrue)
37 {
38 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
39 data = new char[50];
40 data[0] = '\0'; /* null terminate */
41 }
42 {
43 size_t i;
44 char source[100];
45 memset(source, 'C', 100-1); /* fill with 'C's */
46 source[100-1] = '\0'; /* null terminate */
47 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
48 for (i = 0; i < 100; i++)
49 {
50 data[i] = source[i];❗VULN
51 }
52 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
53 printLine(data);
54 delete [] data;
55 }
56}
57
58#endif /* OMITBAD */
59
60#ifndef OMITGOOD
61
62/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */
63static void goodG2B1()
64{
65 char * data;
66 data = NULL;
67 if(staticFalse)
68 {
69 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
70 printLine("Benign, fixed string");
71 }
72 else
73 {
74 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
75 data = new char[100];
76 data[0] = '\0'; /* null terminate */
77 }
78 {
79 size_t i;
80 char source[100];
81 memset(source, 'C', 100-1); /* fill with 'C's */
82 source[100-1] = '\0'; /* null terminate */
83 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
84 for (i = 0; i < 100; i++)
85 {
86 data[i] = source[i];
87 }
88 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
89 printLine(data);
90 delete [] data;
91 }
92}
93
94/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
95static void goodG2B2()
96{
97 char * data;
98 data = NULL;
99 if(staticTrue)
100 {
101 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
102 data = new char[100];
103 data[0] = '\0'; /* null terminate */
104 }
105 {
106 size_t i;
107 char source[100];
108 memset(source, 'C', 100-1); /* fill with 'C's */
109 source[100-1] = '\0'; /* null terminate */
110 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
111 for (i = 0; i < 100; i++)
112 {
113 data[i] = source[i];
114 }
115 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
116 printLine(data);
117 delete [] data;
118 }
119}
120
121void good()
122{
123 goodG2B1();
124 goodG2B2();
125}
126
127#endif /* OMITGOOD */
128
129} /* close namespace */
130
131/* Below is the main(). It is only used when building this testcase on
132 its own for testing or for building a binary to use in testing binary
133 analysis tools. It is not used when compiling all the testcases as one
134 application, which is how source code analysis tools are tested. */
135
136#ifdef INCLUDEMAIN
137
138using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_loop_05; /* so that we can use good and bad easily */
139
140int main(int argc, char * argv[])
141{
142 /* seed randomness */
143 srand( (unsigned)time(NULL) );
144#ifndef OMITGOOD
145 printLine("Calling good()...");
146 good();
147 printLine("Finished good()");
148#endif /* OMITGOOD */
149#ifndef OMITBAD
150 printLine("Calling bad()...");
151 bad();
152 printLine("Finished bad()");
153#endif /* OMITBAD */
154 return 0;
155}
156
157#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7719: CWE126_Buffer_Overread__new_char_memmove_31.cpp

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__new_char_memmove_31.cpp
3Label Definition File: CWE126_Buffer_Overread__new.label.xml
4Template File: sources-sink-31.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Use a small buffer
10 * GoodSource: Use a large buffer
11 * Sinks: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 31 Data flow using a copy of data within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE126_Buffer_Overread__new_char_memmove_31
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 char * data;
29 data = NULL;
30 /* FLAW: Use a small buffer */
31 data = new char[50];
32 memset(data, 'A', 50-1); /* fill with 'A's */
33 data[50-1] = '\0'; /* null terminate */
34 {
35 char * dataCopy = data;
36 char * data = dataCopy;
37 {
38 char dest[100];
39 memset(dest, 'C', 100-1);
40 dest[100-1] = '\0'; /* null terminate */
41 /* POTENTIAL FLAW: using memmove with the length of the dest where data
42 * could be smaller than dest causing buffer overread */
43 memmove(dest, data, strlen(dest)*sizeof(char));❗VULN
44 dest[100-1] = '\0';
45 printLine(dest);
46 delete [] data;
47 }
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B() uses the GoodSource with the BadSink */
56static void goodG2B()
57{
58 char * data;
59 data = NULL;
60 /* FIX: Use a large buffer */
61 data = new char[100];
62 memset(data, 'A', 100-1); /* fill with 'A's */
63 data[100-1] = '\0'; /* null terminate */
64 {
65 char * dataCopy = data;
66 char * data = dataCopy;
67 {
68 char dest[100];
69 memset(dest, 'C', 100-1);
70 dest[100-1] = '\0'; /* null terminate */
71 /* POTENTIAL FLAW: using memmove with the length of the dest where data
72 * could be smaller than dest causing buffer overread */
73 memmove(dest, data, strlen(dest)*sizeof(char));
74 dest[100-1] = '\0';
75 printLine(dest);
76 delete [] data;
77 }
78 }
79}
80
81void good()
82{
83 goodG2B();
84}
85
86#endif /* OMITGOOD */
87
88} /* close namespace */
89
90/* Below is the main(). It is only used when building this testcase on
91 its own for testing or for building a binary to use in testing binary
92 analysis tools. It is not used when compiling all the testcases as one
93 application, which is how source code analysis tools are tested. */
94#ifdef INCLUDEMAIN
95
96using namespace CWE126_Buffer_Overread__new_char_memmove_31; /* so that we can use good and bad easily */
97
98int main(int argc, char * argv[])
99{
100 /* seed randomness */
101 srand( (unsigned)time(NULL) );
102#ifndef OMITGOOD
103 printLine("Calling good()...");
104 good();
105 printLine("Finished good()");
106#endif /* OMITGOOD */
107#ifndef OMITBAD
108 printLine("Calling bad()...");
109 bad();
110 printLine("Finished bad()");
111#endif /* OMITBAD */
112 return 0;
113}
114
115#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1270: CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_32.c

Nodes: 17 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_32.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_dest.label.xml
4Template File: sources-sink-32.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sink: cat
12 * BadSink : Copy string to data using wcscat
13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_32_bad()
24{
25 wchar_t * data;
26 wchar_t * *dataPtr1 = &data;
27 wchar_t * *dataPtr2 = &data;
28 data = NULL;
29 {
30 wchar_t * data = *dataPtr1;
31 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
32 data = (wchar_t *)malloc(50*sizeof(wchar_t));
33 if (data == NULL) {exit(-1);}
34 data[0] = L'\0'; /* null terminate */
35 *dataPtr1 = data;
36 }
37 {
38 wchar_t * data = *dataPtr2;
39 {
40 wchar_t source[100];
41 wmemset(source, L'C', 100-1); /* fill with L'C's */
42 source[100-1] = L'\0'; /* null terminate */
43 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
44 wcscat(data, source);❗VULN
45 printWLine(data);
46 free(data);
47 }
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B() uses the GoodSource with the BadSink */
56static void goodG2B()
57{
58 wchar_t * data;
59 wchar_t * *dataPtr1 = &data;
60 wchar_t * *dataPtr2 = &data;
61 data = NULL;
62 {
63 wchar_t * data = *dataPtr1;
64 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
65 data = (wchar_t *)malloc(100*sizeof(wchar_t));
66 if (data == NULL) {exit(-1);}
67 data[0] = L'\0'; /* null terminate */
68 *dataPtr1 = data;
69 }
70 {
71 wchar_t * data = *dataPtr2;
72 {
73 wchar_t source[100];
74 wmemset(source, L'C', 100-1); /* fill with L'C's */
75 source[100-1] = L'\0'; /* null terminate */
76 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
77 wcscat(data, source);
78 printWLine(data);
79 free(data);
80 }
81 }
82}
83
84void CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_32_good()
85{
86 goodG2B();
87}
88
89#endif /* OMITGOOD */
90
91/* Below is the main(). It is only used when building this testcase on
92 * its own for testing or for building a binary to use in testing binary
93 * analysis tools. It is not used when compiling all the testcases as one
94 * application, which is how source code analysis tools are tested.
95 */
96#ifdef INCLUDEMAIN
97
98int main(int argc, char * argv[])
99{
100 /* seed randomness */
101 srand( (unsigned)time(NULL) );
102#ifndef OMITGOOD
103 printLine("Calling good()...");
104 CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_32_good();
105 printLine("Finished good()");
106#endif /* OMITGOOD */
107#ifndef OMITBAD
108 printLine("Calling bad()...");
109 CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_32_bad();
110 printLine("Finished bad()");
111#endif /* OMITBAD */
112 return 0;
113}
114
115#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1118: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_memmove_31.cpp

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_memmove_31.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193.label.xml
4Template File: sources-sink-31.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 * GoodSource: Allocate enough memory for a string and the NULL terminator
11 * Sinks: memmove
12 * BadSink : Copy string to data using memmove()
13 * Flow Variant: 31 Data flow using a copy of data within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING L"AAAAAAAAAA"
25
26namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_memmove_31
27{
28
29#ifndef OMITBAD
30
31void bad()
32{
33 wchar_t * data;
34 data = NULL;
35 /* FLAW: Did not leave space for a null terminator */
36 data = new wchar_t[10];
37 {
38 wchar_t * dataCopy = data;
39 wchar_t * data = dataCopy;
40 {
41 wchar_t source[10+1] = SRC_STRING;
42 /* Copy length + 1 to include NUL terminator from source */
43 /* POTENTIAL FLAW: data may not have enough space to hold source */
44 memmove(data, source, (wcslen(source) + 1) * sizeof(wchar_t));❗VULN
45 printWLine(data);
46 delete [] data;
47 }
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B() uses the GoodSource with the BadSink */
56static void goodG2B()
57{
58 wchar_t * data;
59 data = NULL;
60 /* FIX: Allocate space for a null terminator */
61 data = new wchar_t[10+1];
62 {
63 wchar_t * dataCopy = data;
64 wchar_t * data = dataCopy;
65 {
66 wchar_t source[10+1] = SRC_STRING;
67 /* Copy length + 1 to include NUL terminator from source */
68 /* POTENTIAL FLAW: data may not have enough space to hold source */
69 memmove(data, source, (wcslen(source) + 1) * sizeof(wchar_t));
70 printWLine(data);
71 delete [] data;
72 }
73 }
74}
75
76void good()
77{
78 goodG2B();
79}
80
81#endif /* OMITGOOD */
82
83} /* close namespace */
84
85/* Below is the main(). It is only used when building this testcase on
86 its own for testing or for building a binary to use in testing binary
87 analysis tools. It is not used when compiling all the testcases as one
88 application, which is how source code analysis tools are tested. */
89#ifdef INCLUDEMAIN
90
91using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_wchar_t_memmove_31; /* so that we can use good and bad easily */
92
93int main(int argc, char * argv[])
94{
95 /* seed randomness */
96 srand( (unsigned)time(NULL) );
97#ifndef OMITGOOD
98 printLine("Calling good()...");
99 good();
100 printLine("Finished good()");
101#endif /* OMITGOOD */
102#ifndef OMITBAD
103 printLine("Calling bad()...");
104 bad();
105 printLine("Finished bad()");
106#endif /* OMITBAD */
107 return 0;
108}
109
110#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8468: CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_01.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_01.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_dest.label.xml
4Template File: sources-sink-01.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sink: cat
12 * BadSink : Copy string to data using wcscat
13 * Flow Variant: 01 Baseline
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_01_bad()
24{
25 wchar_t * data;
26 data = NULL;
27 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
28 data = (wchar_t *)malloc(50*sizeof(wchar_t));
29 if (data == NULL) {exit(-1);}
30 data[0] = L'\0'; /* null terminate */
31 {
32 wchar_t source[100];
33 wmemset(source, L'C', 100-1); /* fill with L'C's */
34 source[100-1] = L'\0'; /* null terminate */
35 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
36 wcscat(data, source);❗VULN
37 printWLine(data);
38 free(data);
39 }
40}
41
42#endif /* OMITBAD */
43
44#ifndef OMITGOOD
45
46/* goodG2B uses the GoodSource with the BadSink */
47static void goodG2B()
48{
49 wchar_t * data;
50 data = NULL;
51 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
52 data = (wchar_t *)malloc(100*sizeof(wchar_t));
53 if (data == NULL) {exit(-1);}
54 data[0] = L'\0'; /* null terminate */
55 {
56 wchar_t source[100];
57 wmemset(source, L'C', 100-1); /* fill with L'C's */
58 source[100-1] = L'\0'; /* null terminate */
59 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
60 wcscat(data, source);
61 printWLine(data);
62 free(data);
63 }
64}
65
66void CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_01_good()
67{
68 goodG2B();
69}
70
71#endif /* OMITGOOD */
72
73/* Below is the main(). It is only used when building this testcase on
74 * its own for testing or for building a binary to use in testing binary
75 * analysis tools. It is not used when compiling all the testcases as one
76 * application, which is how source code analysis tools are tested.
77 */
78
79#ifdef INCLUDEMAIN
80
81int main(int argc, char * argv[])
82{
83 /* seed randomness */
84 srand( (unsigned)time(NULL) );
85#ifndef OMITGOOD
86 printLine("Calling good()...");
87 CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_01_good();
88 printLine("Finished good()");
89#endif /* OMITGOOD */
90#ifndef OMITBAD
91 printLine("Calling bad()...");
92 CWE122_Heap_Based_Buffer_Overflow__c_dest_wchar_t_cat_01_bad();
93 printLine("Finished bad()");
94#endif /* OMITBAD */
95 return 0;
96}
97
98#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6805: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-45.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sinks: loop
12 * BadSink : Copy twoIntsStruct array to data using a loop
13 * Flow Variant: 45 Data flow: data passed as a static global variable from one function to another in the same source file
14 *
15 * */
16
17#include "std_testcase.h"
18
19static twoIntsStruct * CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_badData;
20static twoIntsStruct * CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_goodG2BData;
21
22#ifndef OMITBAD
23
24static void badSink()
25{
26 twoIntsStruct * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_badData;
27 {
28 twoIntsStruct source[100];
29 {
30 size_t i;
31 /* Initialize array */
32 for (i = 0; i < 100; i++)
33 {
34 source[i].intOne = 0;
35 source[i].intTwo = 0;
36 }
37 }
38 {
39 size_t i;
40 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
41 for (i = 0; i < 100; i++)
42 {
43 data[i] = source[i];❗VULN
44 }
45 printStructLine(&data[0]);
46 }
47 }
48}
49
50void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_bad()
51{
52 twoIntsStruct * data;
53 twoIntsStruct dataBadBuffer[50];
54 twoIntsStruct dataGoodBuffer[100];
55 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
56 * buffer in various memory copying functions using a "large" source buffer. */
57 data = dataBadBuffer;
58 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_badData = data;
59 badSink();
60}
61
62#endif /* OMITBAD */
63
64#ifndef OMITGOOD
65
66/* goodG2B() uses the GoodSource with the BadSink */
67static void goodG2BSink()
68{
69 twoIntsStruct * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_goodG2BData;
70 {
71 twoIntsStruct source[100];
72 {
73 size_t i;
74 /* Initialize array */
75 for (i = 0; i < 100; i++)
76 {
77 source[i].intOne = 0;
78 source[i].intTwo = 0;
79 }
80 }
81 {
82 size_t i;
83 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
84 for (i = 0; i < 100; i++)
85 {
86 data[i] = source[i];
87 }
88 printStructLine(&data[0]);
89 }
90 }
91}
92
93static void goodG2B()
94{
95 twoIntsStruct * data;
96 twoIntsStruct dataBadBuffer[50];
97 twoIntsStruct dataGoodBuffer[100];
98 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
99 data = dataGoodBuffer;
100 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_goodG2BData = data;
101 goodG2BSink();
102}
103
104void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_good()
105{
106 goodG2B();
107}
108
109#endif /* OMITGOOD */
110
111/* Below is the main(). It is only used when building this testcase on
112 * its own for testing or for building a binary to use in testing binary
113 * analysis tools. It is not used when compiling all the testcases as one
114 * application, which is how source code analysis tools are tested.
115 */
116#ifdef INCLUDEMAIN
117
118int main(int argc, char * argv[])
119{
120 /* seed randomness */
121 srand( (unsigned)time(NULL) );
122#ifndef OMITGOOD
123 printLine("Calling good()...");
124 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_good();
125 printLine("Finished good()");
126#endif /* OMITGOOD */
127#ifndef OMITBAD
128 printLine("Calling bad()...");
129 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_45_bad();
130 printLine("Finished bad()");
131#endif /* OMITBAD */
132 return 0;
133}
134
135#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7989: CWE124_Buffer_Underwrite__malloc_char_loop_17.c

Nodes: 22 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__malloc_char_loop_17.c
3Label Definition File: CWE124_Buffer_Underwrite__malloc.label.xml
4Template File: sources-sink-17.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy string to data using a loop
13 * Flow Variant: 17 Control flow: for loops
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE124_Buffer_Underwrite__malloc_char_loop_17_bad()
24{
25 int i;
26 char * data;
27 data = NULL;
28 for(i = 0; i < 1; i++)
29 {
30 {
31 char * dataBuffer = (char *)malloc(100*sizeof(char));
32 if (dataBuffer == NULL) {exit(-1);}
33 memset(dataBuffer, 'A', 100-1);
34 dataBuffer[100-1] = '\0';
35 /* FLAW: Set data pointer to before the allocated memory buffer */
36 data = dataBuffer - 8;
37 }
38 }
39 {
40 size_t i;
41 char source[100];
42 memset(source, 'C', 100-1); /* fill with 'C's */
43 source[100-1] = '\0'; /* null terminate */
44 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
45 for (i = 0; i < 100; i++)
46 {
47 data[i] = source[i];❗VULN
48 }
49 /* Ensure the destination buffer is null terminated */
50 data[100-1] = '\0';
51 printLine(data);
52 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
53 * returned by malloc() so can't safely call free() on it */
54 }
55}
56
57#endif /* OMITBAD */
58
59#ifndef OMITGOOD
60
61/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */
62static void goodG2B()
63{
64 int h;
65 char * data;
66 data = NULL;
67 for(h = 0; h < 1; h++)
68 {
69 {
70 char * dataBuffer = (char *)malloc(100*sizeof(char));
71 if (dataBuffer == NULL) {exit(-1);}
72 memset(dataBuffer, 'A', 100-1);
73 dataBuffer[100-1] = '\0';
74 /* FIX: Set data pointer to the allocated memory buffer */
75 data = dataBuffer;
76 }
77 }
78 {
79 size_t i;
80 char source[100];
81 memset(source, 'C', 100-1); /* fill with 'C's */
82 source[100-1] = '\0'; /* null terminate */
83 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
84 for (i = 0; i < 100; i++)
85 {
86 data[i] = source[i];
87 }
88 /* Ensure the destination buffer is null terminated */
89 data[100-1] = '\0';
90 printLine(data);
91 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
92 * returned by malloc() so can't safely call free() on it */
93 }
94}
95
96void CWE124_Buffer_Underwrite__malloc_char_loop_17_good()
97{
98 goodG2B();
99}
100
101#endif /* OMITGOOD */
102
103/* Below is the main(). It is only used when building this testcase on
104 * its own for testing or for building a binary to use in testing binary
105 * analysis tools. It is not used when compiling all the testcases as one
106 * application, which is how source code analysis tools are tested.
107 */
108
109#ifdef INCLUDEMAIN
110
111int main(int argc, char * argv[])
112{
113 /* seed randomness */
114 srand( (unsigned)time(NULL) );
115#ifndef OMITGOOD
116 printLine("Calling good()...");
117 CWE124_Buffer_Underwrite__malloc_char_loop_17_good();
118 printLine("Finished good()");
119#endif /* OMITGOOD */
120#ifndef OMITBAD
121 printLine("Calling bad()...");
122 CWE124_Buffer_Underwrite__malloc_char_loop_17_bad();
123 printLine("Finished bad()");
124#endif /* OMITBAD */
125 return 0;
126}
127
128#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6648: CWE127_Buffer_Underread__char_declare_memcpy_05.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__char_declare_memcpy_05.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-05.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are not defined as "const", but are never
22 * assigned any other value, so a tool should be able to identify that
23 * reads of these will always return their initialized values.
24 */
25static int staticTrue = 1; /* true */
26static int staticFalse = 0; /* false */
27
28#ifndef OMITBAD
29
30void CWE127_Buffer_Underread__char_declare_memcpy_05_bad()
31{
32 char * data;
33 char dataBuffer[100];
34 memset(dataBuffer, 'A', 100-1);
35 dataBuffer[100-1] = '\0';
36 if(staticTrue)
37 {
38 /* FLAW: Set data pointer to before the allocated memory buffer */
39 data = dataBuffer - 8;
40 }
41 {
42 char dest[100];
43 memset(dest, 'C', 100-1); /* fill with 'C's */
44 dest[100-1] = '\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
46 memcpy(dest, data, 100*sizeof(char));❗VULN
47 /* Ensure null termination */
48 dest[100-1] = '\0';
49 printLine(dest);
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */
58static void goodG2B1()
59{
60 char * data;
61 char dataBuffer[100];
62 memset(dataBuffer, 'A', 100-1);
63 dataBuffer[100-1] = '\0';
64 if(staticFalse)
65 {
66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
67 printLine("Benign, fixed string");
68 }
69 else
70 {
71 /* FIX: Set data pointer to the allocated memory buffer */
72 data = dataBuffer;
73 }
74 {
75 char dest[100];
76 memset(dest, 'C', 100-1); /* fill with 'C's */
77 dest[100-1] = '\0'; /* null terminate */
78 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
79 memcpy(dest, data, 100*sizeof(char));
80 /* Ensure null termination */
81 dest[100-1] = '\0';
82 printLine(dest);
83 }
84}
85
86/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
87static void goodG2B2()
88{
89 char * data;
90 char dataBuffer[100];
91 memset(dataBuffer, 'A', 100-1);
92 dataBuffer[100-1] = '\0';
93 if(staticTrue)
94 {
95 /* FIX: Set data pointer to the allocated memory buffer */
96 data = dataBuffer;
97 }
98 {
99 char dest[100];
100 memset(dest, 'C', 100-1); /* fill with 'C's */
101 dest[100-1] = '\0'; /* null terminate */
102 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
103 memcpy(dest, data, 100*sizeof(char));
104 /* Ensure null termination */
105 dest[100-1] = '\0';
106 printLine(dest);
107 }
108}
109
110void CWE127_Buffer_Underread__char_declare_memcpy_05_good()
111{
112 goodG2B1();
113 goodG2B2();
114}
115
116#endif /* OMITGOOD */
117
118/* Below is the main(). It is only used when building this testcase on
119 * its own for testing or for building a binary to use in testing binary
120 * analysis tools. It is not used when compiling all the testcases as one
121 * application, which is how source code analysis tools are tested.
122 */
123
124#ifdef INCLUDEMAIN
125
126int main(int argc, char * argv[])
127{
128 /* seed randomness */
129 srand( (unsigned)time(NULL) );
130#ifndef OMITGOOD
131 printLine("Calling good()...");
132 CWE127_Buffer_Underread__char_declare_memcpy_05_good();
133 printLine("Finished good()");
134#endif /* OMITGOOD */
135#ifndef OMITBAD
136 printLine("Calling bad()...");
137 CWE127_Buffer_Underread__char_declare_memcpy_05_bad();
138 printLine("Finished bad()");
139#endif /* OMITBAD */
140 return 0;
141}
142
143#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8215: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memmove_13.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memmove_13.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml
4Template File: sources-sink-13.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memmove_13_bad()
24{
25 wchar_t * data;
26 wchar_t dataBuffer[100];
27 data = dataBuffer;
28 if(GLOBAL_CONST_FIVE==5)
29 {
30 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
31 wmemset(data, L'A', 100-1); /* fill with L'A's */
32 data[100-1] = L'\0'; /* null terminate */
33 }
34 {
35 wchar_t dest[50] = L"";
36 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
37 memmove(dest, data, wcslen(data)*sizeof(wchar_t));❗VULN
38 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
39 printWLine(data);
40 }
41}
42
43#endif /* OMITBAD */
44
45#ifndef OMITGOOD
46
47/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */
48static void goodG2B1()
49{
50 wchar_t * data;
51 wchar_t dataBuffer[100];
52 data = dataBuffer;
53 if(GLOBAL_CONST_FIVE!=5)
54 {
55 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
56 printLine("Benign, fixed string");
57 }
58 else
59 {
60 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
61 wmemset(data, L'A', 50-1); /* fill with L'A's */
62 data[50-1] = L'\0'; /* null terminate */
63 }
64 {
65 wchar_t dest[50] = L"";
66 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
67 memmove(dest, data, wcslen(data)*sizeof(wchar_t));
68 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
69 printWLine(data);
70 }
71}
72
73/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
74static void goodG2B2()
75{
76 wchar_t * data;
77 wchar_t dataBuffer[100];
78 data = dataBuffer;
79 if(GLOBAL_CONST_FIVE==5)
80 {
81 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
82 wmemset(data, L'A', 50-1); /* fill with L'A's */
83 data[50-1] = L'\0'; /* null terminate */
84 }
85 {
86 wchar_t dest[50] = L"";
87 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
88 memmove(dest, data, wcslen(data)*sizeof(wchar_t));
89 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
90 printWLine(data);
91 }
92}
93
94void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memmove_13_good()
95{
96 goodG2B1();
97 goodG2B2();
98}
99
100#endif /* OMITGOOD */
101
102/* Below is the main(). It is only used when building this testcase on
103 * its own for testing or for building a binary to use in testing binary
104 * analysis tools. It is not used when compiling all the testcases as one
105 * application, which is how source code analysis tools are tested.
106 */
107
108#ifdef INCLUDEMAIN
109
110int main(int argc, char * argv[])
111{
112 /* seed randomness */
113 srand( (unsigned)time(NULL) );
114#ifndef OMITGOOD
115 printLine("Calling good()...");
116 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memmove_13_good();
117 printLine("Finished good()");
118#endif /* OMITGOOD */
119#ifndef OMITBAD
120 printLine("Calling bad()...");
121 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_memmove_13_bad();
122 printLine("Finished bad()");
123#endif /* OMITBAD */
124 return 0;
125}
126
127#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5080: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_ncpy_06.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_ncpy_06.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml
4Template File: sources-sink-06.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 * GoodSource: Allocate enough memory for a string and the NULL terminator
11 * Sink: ncpy
12 * BadSink : Copy string to data using wcsncpy()
13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING L"AAAAAAAAAA"
25
26/* The variable below is declared "const", so a tool should be able
27 * to identify that reads of this will always give its initialized value. */
28static const int STATIC_CONST_FIVE = 5;
29
30#ifndef OMITBAD
31
32void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_ncpy_06_bad()
33{
34 wchar_t * data;
35 data = NULL;
36 if(STATIC_CONST_FIVE==5)
37 {
38 /* FLAW: Did not leave space for a null terminator */
39 data = (wchar_t *)malloc(10*sizeof(wchar_t));
40 if (data == NULL) {exit(-1);}
41 }
42 {
43 wchar_t source[10+1] = SRC_STRING;
44 /* Copy length + 1 to include NUL terminator from source */
45 /* POTENTIAL FLAW: data may not have enough space to hold source */
46 wcsncpy(data, source, wcslen(source) + 1);❗VULN
47 printWLine(data);
48 free(data);
49 }
50}
51
52#endif /* OMITBAD */
53
54#ifndef OMITGOOD
55
56/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */
57static void goodG2B1()
58{
59 wchar_t * data;
60 data = NULL;
61 if(STATIC_CONST_FIVE!=5)
62 {
63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
64 printLine("Benign, fixed string");
65 }
66 else
67 {
68 /* FIX: Allocate space for a null terminator */
69 data = (wchar_t *)malloc((10+1)*sizeof(wchar_t));
70 if (data == NULL) {exit(-1);}
71 }
72 {
73 wchar_t source[10+1] = SRC_STRING;
74 /* Copy length + 1 to include NUL terminator from source */
75 /* POTENTIAL FLAW: data may not have enough space to hold source */
76 wcsncpy(data, source, wcslen(source) + 1);
77 printWLine(data);
78 free(data);
79 }
80}
81
82/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
83static void goodG2B2()
84{
85 wchar_t * data;
86 data = NULL;
87 if(STATIC_CONST_FIVE==5)
88 {
89 /* FIX: Allocate space for a null terminator */
90 data = (wchar_t *)malloc((10+1)*sizeof(wchar_t));
91 if (data == NULL) {exit(-1);}
92 }
93 {
94 wchar_t source[10+1] = SRC_STRING;
95 /* Copy length + 1 to include NUL terminator from source */
96 /* POTENTIAL FLAW: data may not have enough space to hold source */
97 wcsncpy(data, source, wcslen(source) + 1);
98 printWLine(data);
99 free(data);
100 }
101}
102
103void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_ncpy_06_good()
104{
105 goodG2B1();
106 goodG2B2();
107}
108
109#endif /* OMITGOOD */
110
111/* Below is the main(). It is only used when building this testcase on
112 * its own for testing or for building a binary to use in testing binary
113 * analysis tools. It is not used when compiling all the testcases as one
114 * application, which is how source code analysis tools are tested.
115 */
116
117#ifdef INCLUDEMAIN
118
119int main(int argc, char * argv[])
120{
121 /* seed randomness */
122 srand( (unsigned)time(NULL) );
123#ifndef OMITGOOD
124 printLine("Calling good()...");
125 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_ncpy_06_good();
126 printLine("Finished good()");
127#endif /* OMITGOOD */
128#ifndef OMITBAD
129 printLine("Calling bad()...");
130 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_ncpy_06_bad();
131 printLine("Finished bad()");
132#endif /* OMITBAD */
133 return 0;
134}
135
136#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 873: CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_15.c

Nodes: 31 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_15.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE129.label.xml
4Template File: sources-sinks-15.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: rand Set data to result of rand(), which may be zero
10 * GoodSource: Larger than zero but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the upper bound
14 * Flow Variant: 15 Control flow: switch(6) and switch(7)
15 *
16 * */
17
18#include "std_testcase.h"
19
20#ifndef OMITBAD
21
22void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_15_bad()
23{
24 int data;
25 /* Initialize data */
26 data = -1;
27 switch(6)
28 {
29 case 6:
30 /* POTENTIAL FLAW: Set data to a random value */
31 data = RAND32();
32 break;
33 default:
34 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
35 printLine("Benign, fixed string");
36 break;
37 }
38 switch(7)
39 {
40 case 7:
41 {
42 int i;
43 int * buffer = (int *)malloc(10 * sizeof(int));
44 if (buffer == NULL) {exit(-1);}
45 /* initialize buffer */
46 for (i = 0; i < 10; i++)
47 {
48 buffer[i] = 0;
49 }
50 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
51 * This code does check to see if the array index is negative */
52 if (data >= 0)
53 {
54 buffer[data] = 1;❗VULN
55 /* Print the array values */
56 for(i = 0; i < 10; i++)
57 {
58 printIntLine(buffer[i]);
59 }
60 }
61 else
62 {
63 printLine("ERROR: Array index is negative.");
64 }
65 free(buffer);
66 }
67 break;
68 default:
69 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
70 printLine("Benign, fixed string");
71 break;
72 }
73}
74
75#endif /* OMITBAD */
76
77#ifndef OMITGOOD
78
79/* goodB2G1() - use badsource and goodsink by changing the second switch to switch(8) */
80static void goodB2G1()
81{
82 int data;
83 /* Initialize data */
84 data = -1;
85 switch(6)
86 {
87 case 6:
88 /* POTENTIAL FLAW: Set data to a random value */
89 data = RAND32();
90 break;
91 default:
92 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
93 printLine("Benign, fixed string");
94 break;
95 }
96 switch(8)
97 {
98 case 7:
99 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
100 printLine("Benign, fixed string");
101 break;
102 default:
103 {
104 int i;
105 int * buffer = (int *)malloc(10 * sizeof(int));
106 if (buffer == NULL) {exit(-1);}
107 /* initialize buffer */
108 for (i = 0; i < 10; i++)
109 {
110 buffer[i] = 0;
111 }
112 /* FIX: Properly validate the array index and prevent a buffer overflow */
113 if (data >= 0 && data < (10))
114 {
115 buffer[data] = 1;
116 /* Print the array values */
117 for(i = 0; i < 10; i++)
118 {
119 printIntLine(buffer[i]);
120 }
121 }
122 else
123 {
124 printLine("ERROR: Array index is out-of-bounds");
125 }
126 free(buffer);
127 }
128 break;
129 }
130}
131
132/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second switch */
133static void goodB2G2()
134{
135 int data;
136 /* Initialize data */
137 data = -1;
138 switch(6)
139 {
140 case 6:
141 /* POTENTIAL FLAW: Set data to a random value */
142 data = RAND32();
143 break;
144 default:
145 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
146 printLine("Benign, fixed string");
147 break;
148 }
149 switch(7)
150 {
151 case 7:
152 {
153 int i;
154 int * buffer = (int *)malloc(10 * sizeof(int));
155 if (buffer == NULL) {exit(-1);}
156 /* initialize buffer */
157 for (i = 0; i < 10; i++)
158 {
159 buffer[i] = 0;
160 }
161 /* FIX: Properly validate the array index and prevent a buffer overflow */
162 if (data >= 0 && data < (10))
163 {
164 buffer[data] = 1;
165 /* Print the array values */
166 for(i = 0; i < 10; i++)
167 {
168 printIntLine(buffer[i]);
169 }
170 }
171 else
172 {
173 printLine("ERROR: Array index is out-of-bounds");
174 }
175 free(buffer);
176 }
177 break;
178 default:
179 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
180 printLine("Benign, fixed string");
181 break;
182 }
183}
184
185/* goodG2B1() - use goodsource and badsink by changing the first switch to switch(5) */
186static void goodG2B1()
187{
188 int data;
189 /* Initialize data */
190 data = -1;
191 switch(5)
192 {
193 case 6:
194 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
195 printLine("Benign, fixed string");
196 break;
197 default:
198 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
199 * access an index of the array in the sink that is out-of-bounds */
200 data = 7;
201 break;
202 }
203 switch(7)
204 {
205 case 7:
206 {
207 int i;
208 int * buffer = (int *)malloc(10 * sizeof(int));
209 if (buffer == NULL) {exit(-1);}
210 /* initialize buffer */
211 for (i = 0; i < 10; i++)
212 {
213 buffer[i] = 0;
214 }
215 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
216 * This code does check to see if the array index is negative */
217 if (data >= 0)
218 {
219 buffer[data] = 1;
220 /* Print the array values */
221 for(i = 0; i < 10; i++)
222 {
223 printIntLine(buffer[i]);
224 }
225 }
226 else
227 {
228 printLine("ERROR: Array index is negative.");
229 }
230 free(buffer);
231 }
232 break;
233 default:
234 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
235 printLine("Benign, fixed string");
236 break;
237 }
238}
239
240/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first switch */
241static void goodG2B2()
242{
243 int data;
244 /* Initialize data */
245 data = -1;
246 switch(6)
247 {
248 case 6:
249 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
250 * access an index of the array in the sink that is out-of-bounds */
251 data = 7;
252 break;
253 default:
254 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
255 printLine("Benign, fixed string");
256 break;
257 }
258 switch(7)
259 {
260 case 7:
261 {
262 int i;
263 int * buffer = (int *)malloc(10 * sizeof(int));
264 if (buffer == NULL) {exit(-1);}
265 /* initialize buffer */
266 for (i = 0; i < 10; i++)
267 {
268 buffer[i] = 0;
269 }
270 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
271 * This code does check to see if the array index is negative */
272 if (data >= 0)
273 {
274 buffer[data] = 1;
275 /* Print the array values */
276 for(i = 0; i < 10; i++)
277 {
278 printIntLine(buffer[i]);
279 }
280 }
281 else
282 {
283 printLine("ERROR: Array index is negative.");
284 }
285 free(buffer);
286 }
287 break;
288 default:
289 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
290 printLine("Benign, fixed string");
291 break;
292 }
293}
294
295void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_15_good()
296{
297 goodB2G1();
298 goodB2G2();
299 goodG2B1();
300 goodG2B2();
301}
302
303#endif /* OMITGOOD */
304
305/* Below is the main(). It is only used when building this testcase on
306 its own for testing or for building a binary to use in testing binary
307 analysis tools. It is not used when compiling all the testcases as one
308 application, which is how source code analysis tools are tested. */
309
310#ifdef INCLUDEMAIN
311
312int main(int argc, char * argv[])
313{
314 /* seed randomness */
315 srand( (unsigned)time(NULL) );
316#ifndef OMITGOOD
317 printLine("Calling good()...");
318 CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_15_good();
319 printLine("Finished good()");
320#endif /* OMITGOOD */
321#ifndef OMITBAD
322 printLine("Calling bad()...");
323 CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_15_bad();
324 printLine("Finished bad()");
325#endif /* OMITBAD */
326 return 0;
327}
328
329#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7893: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_memmove_06.cpp

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_memmove_06.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml
4Template File: sources-sink-06.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: memmove
12 * BadSink : Copy string to data using memmove
13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is declared "const", so a tool should be able
22 to identify that reads of this will always give its initialized
23 value. */
24static const int STATIC_CONST_FIVE = 5;
25
26namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_memmove_06
27{
28
29#ifndef OMITBAD
30
31void bad()
32{
33 wchar_t * data;
34 data = NULL;
35 if(STATIC_CONST_FIVE==5)
36 {
37 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
38 data = new wchar_t[50];
39 data[0] = L'\0'; /* null terminate */
40 }
41 {
42 wchar_t source[100];
43 wmemset(source, L'C', 100-1); /* fill with L'C's */
44 source[100-1] = L'\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
46 memmove(data, source, 100*sizeof(wchar_t));❗VULN
47 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
48 printWLine(data);
49 delete [] data;
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */
58static void goodG2B1()
59{
60 wchar_t * data;
61 data = NULL;
62 if(STATIC_CONST_FIVE!=5)
63 {
64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
65 printLine("Benign, fixed string");
66 }
67 else
68 {
69 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
70 data = new wchar_t[100];
71 data[0] = L'\0'; /* null terminate */
72 }
73 {
74 wchar_t source[100];
75 wmemset(source, L'C', 100-1); /* fill with L'C's */
76 source[100-1] = L'\0'; /* null terminate */
77 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
78 memmove(data, source, 100*sizeof(wchar_t));
79 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
80 printWLine(data);
81 delete [] data;
82 }
83}
84
85/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
86static void goodG2B2()
87{
88 wchar_t * data;
89 data = NULL;
90 if(STATIC_CONST_FIVE==5)
91 {
92 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
93 data = new wchar_t[100];
94 data[0] = L'\0'; /* null terminate */
95 }
96 {
97 wchar_t source[100];
98 wmemset(source, L'C', 100-1); /* fill with L'C's */
99 source[100-1] = L'\0'; /* null terminate */
100 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
101 memmove(data, source, 100*sizeof(wchar_t));
102 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
103 printWLine(data);
104 delete [] data;
105 }
106}
107
108void good()
109{
110 goodG2B1();
111 goodG2B2();
112}
113
114#endif /* OMITGOOD */
115
116} /* close namespace */
117
118/* Below is the main(). It is only used when building this testcase on
119 its own for testing or for building a binary to use in testing binary
120 analysis tools. It is not used when compiling all the testcases as one
121 application, which is how source code analysis tools are tested. */
122
123#ifdef INCLUDEMAIN
124
125using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_memmove_06; /* so that we can use good and bad easily */
126
127int main(int argc, char * argv[])
128{
129 /* seed randomness */
130 srand( (unsigned)time(NULL) );
131#ifndef OMITGOOD
132 printLine("Calling good()...");
133 good();
134 printLine("Finished good()");
135#endif /* OMITGOOD */
136#ifndef OMITBAD
137 printLine("Calling bad()...");
138 bad();
139 printLine("Finished bad()");
140#endif /* OMITBAD */
141 return 0;
142}
143
144#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7813: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_10.cpp

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_10.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml
4Template File: sources-sink-10.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: ncat
12 * BadSink : Copy string to data using wcsncat
13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_10
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 wchar_t * data;
29 data = NULL;
30 if(globalTrue)
31 {
32 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
33 data = new wchar_t[50];
34 data[0] = L'\0'; /* null terminate */
35 }
36 {
37 wchar_t source[100];
38 wmemset(source, L'C', 100-1); /* fill with L'C's */
39 source[100-1] = L'\0'; /* null terminate */
40 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
41 wcsncat(data, source, 100);❗VULN
42 printWLine(data);
43 delete [] data;
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */
52static void goodG2B1()
53{
54 wchar_t * data;
55 data = NULL;
56 if(globalFalse)
57 {
58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
59 printLine("Benign, fixed string");
60 }
61 else
62 {
63 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
64 data = new wchar_t[100];
65 data[0] = L'\0'; /* null terminate */
66 }
67 {
68 wchar_t source[100];
69 wmemset(source, L'C', 100-1); /* fill with L'C's */
70 source[100-1] = L'\0'; /* null terminate */
71 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
72 wcsncat(data, source, 100);
73 printWLine(data);
74 delete [] data;
75 }
76}
77
78/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
79static void goodG2B2()
80{
81 wchar_t * data;
82 data = NULL;
83 if(globalTrue)
84 {
85 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
86 data = new wchar_t[100];
87 data[0] = L'\0'; /* null terminate */
88 }
89 {
90 wchar_t source[100];
91 wmemset(source, L'C', 100-1); /* fill with L'C's */
92 source[100-1] = L'\0'; /* null terminate */
93 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
94 wcsncat(data, source, 100);
95 printWLine(data);
96 delete [] data;
97 }
98}
99
100void good()
101{
102 goodG2B1();
103 goodG2B2();
104}
105
106#endif /* OMITGOOD */
107
108} /* close namespace */
109
110/* Below is the main(). It is only used when building this testcase on
111 its own for testing or for building a binary to use in testing binary
112 analysis tools. It is not used when compiling all the testcases as one
113 application, which is how source code analysis tools are tested. */
114
115#ifdef INCLUDEMAIN
116
117using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_10; /* so that we can use good and bad easily */
118
119int main(int argc, char * argv[])
120{
121 /* seed randomness */
122 srand( (unsigned)time(NULL) );
123#ifndef OMITGOOD
124 printLine("Calling good()...");
125 good();
126 printLine("Finished good()");
127#endif /* OMITGOOD */
128#ifndef OMITBAD
129 printLine("Calling bad()...");
130 bad();
131 printLine("Finished bad()");
132#endif /* OMITBAD */
133 return 0;
134}
135
136#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4825: CWE127_Buffer_Underread__char_alloca_memcpy_06.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__char_alloca_memcpy_06.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-06.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is declared "const", so a tool should be able
22 * to identify that reads of this will always give its initialized value. */
23static const int STATIC_CONST_FIVE = 5;
24
25#ifndef OMITBAD
26
27void CWE127_Buffer_Underread__char_alloca_memcpy_06_bad()
28{
29 char * data;
30 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
31 memset(dataBuffer, 'A', 100-1);
32 dataBuffer[100-1] = '\0';
33 if(STATIC_CONST_FIVE==5)
34 {
35 /* FLAW: Set data pointer to before the allocated memory buffer */
36 data = dataBuffer - 8;
37 }
38 {
39 char dest[100];
40 memset(dest, 'C', 100-1); /* fill with 'C's */
41 dest[100-1] = '\0'; /* null terminate */
42 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
43 memcpy(dest, data, 100*sizeof(char));❗VULN
44 /* Ensure null termination */
45 dest[100-1] = '\0';
46 printLine(dest);
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */
55static void goodG2B1()
56{
57 char * data;
58 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
59 memset(dataBuffer, 'A', 100-1);
60 dataBuffer[100-1] = '\0';
61 if(STATIC_CONST_FIVE!=5)
62 {
63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
64 printLine("Benign, fixed string");
65 }
66 else
67 {
68 /* FIX: Set data pointer to the allocated memory buffer */
69 data = dataBuffer;
70 }
71 {
72 char dest[100];
73 memset(dest, 'C', 100-1); /* fill with 'C's */
74 dest[100-1] = '\0'; /* null terminate */
75 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
76 memcpy(dest, data, 100*sizeof(char));
77 /* Ensure null termination */
78 dest[100-1] = '\0';
79 printLine(dest);
80 }
81}
82
83/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
84static void goodG2B2()
85{
86 char * data;
87 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
88 memset(dataBuffer, 'A', 100-1);
89 dataBuffer[100-1] = '\0';
90 if(STATIC_CONST_FIVE==5)
91 {
92 /* FIX: Set data pointer to the allocated memory buffer */
93 data = dataBuffer;
94 }
95 {
96 char dest[100];
97 memset(dest, 'C', 100-1); /* fill with 'C's */
98 dest[100-1] = '\0'; /* null terminate */
99 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
100 memcpy(dest, data, 100*sizeof(char));
101 /* Ensure null termination */
102 dest[100-1] = '\0';
103 printLine(dest);
104 }
105}
106
107void CWE127_Buffer_Underread__char_alloca_memcpy_06_good()
108{
109 goodG2B1();
110 goodG2B2();
111}
112
113#endif /* OMITGOOD */
114
115/* Below is the main(). It is only used when building this testcase on
116 * its own for testing or for building a binary to use in testing binary
117 * analysis tools. It is not used when compiling all the testcases as one
118 * application, which is how source code analysis tools are tested.
119 */
120
121#ifdef INCLUDEMAIN
122
123int main(int argc, char * argv[])
124{
125 /* seed randomness */
126 srand( (unsigned)time(NULL) );
127#ifndef OMITGOOD
128 printLine("Calling good()...");
129 CWE127_Buffer_Underread__char_alloca_memcpy_06_good();
130 printLine("Finished good()");
131#endif /* OMITGOOD */
132#ifndef OMITBAD
133 printLine("Calling bad()...");
134 CWE127_Buffer_Underread__char_alloca_memcpy_06_bad();
135 printLine("Finished bad()");
136#endif /* OMITBAD */
137 return 0;
138}
139
140#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4530: CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61a.c

Nodes: 19 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61a.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE129.label.xml
4Template File: sources-sinks-61a.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: fgets Read data from the console using fgets()
10 * GoodSource: Larger than zero but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the upper bound
14 * Flow Variant: 61 Data flow: data returned from one function to another in different source files
15 *
16 * */
17
18#include "std_testcase.h"
19
20#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)
21
22#ifndef OMITBAD
23
24/* bad function declaration */
25int CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61b_badSource(int data);
26
27void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61_bad()
28{
29 int data;
30 /* Initialize data */
31 data = -1;
32 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61b_badSource(data);
33 {
34 int i;
35 int * buffer = (int *)malloc(10 * sizeof(int));
36 if (buffer == NULL) {exit(-1);}
37 /* initialize buffer */
38 for (i = 0; i < 10; i++)
39 {
40 buffer[i] = 0;
41 }
42 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
43 * This code does check to see if the array index is negative */
44 if (data >= 0)
45 {
46 buffer[data] = 1;❗VULN
47 /* Print the array values */
48 for(i = 0; i < 10; i++)
49 {
50 printIntLine(buffer[i]);
51 }
52 }
53 else
54 {
55 printLine("ERROR: Array index is negative.");
56 }
57 free(buffer);
58 }
59}
60
61#endif /* OMITBAD */
62
63#ifndef OMITGOOD
64
65/* goodG2B uses the GoodSource with the BadSink */
66int CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61b_goodG2BSource(int data);
67
68static void goodG2B()
69{
70 int data;
71 /* Initialize data */
72 data = -1;
73 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61b_goodG2BSource(data);
74 {
75 int i;
76 int * buffer = (int *)malloc(10 * sizeof(int));
77 if (buffer == NULL) {exit(-1);}
78 /* initialize buffer */
79 for (i = 0; i < 10; i++)
80 {
81 buffer[i] = 0;
82 }
83 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
84 * This code does check to see if the array index is negative */
85 if (data >= 0)
86 {
87 buffer[data] = 1;
88 /* Print the array values */
89 for(i = 0; i < 10; i++)
90 {
91 printIntLine(buffer[i]);
92 }
93 }
94 else
95 {
96 printLine("ERROR: Array index is negative.");
97 }
98 free(buffer);
99 }
100}
101
102/* goodB2G uses the BadSource with the GoodSink */
103int CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61b_goodB2GSource(int data);
104
105static void goodB2G()
106{
107 int data;
108 /* Initialize data */
109 data = -1;
110 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61b_goodB2GSource(data);
111 {
112 int i;
113 int * buffer = (int *)malloc(10 * sizeof(int));
114 if (buffer == NULL) {exit(-1);}
115 /* initialize buffer */
116 for (i = 0; i < 10; i++)
117 {
118 buffer[i] = 0;
119 }
120 /* FIX: Properly validate the array index and prevent a buffer overflow */
121 if (data >= 0 && data < (10))
122 {
123 buffer[data] = 1;
124 /* Print the array values */
125 for(i = 0; i < 10; i++)
126 {
127 printIntLine(buffer[i]);
128 }
129 }
130 else
131 {
132 printLine("ERROR: Array index is out-of-bounds");
133 }
134 free(buffer);
135 }
136}
137
138void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61_good()
139{
140 goodG2B();
141 goodB2G();
142}
143
144#endif /* OMITGOOD */
145
146/* Below is the main(). It is only used when building this testcase on
147 its own for testing or for building a binary to use in testing binary
148 analysis tools. It is not used when compiling all the testcases as one
149 application, which is how source code analysis tools are tested. */
150
151#ifdef INCLUDEMAIN
152
153int main(int argc, char * argv[])
154{
155 /* seed randomness */
156 srand( (unsigned)time(NULL) );
157#ifndef OMITGOOD
158 printLine("Calling good()...");
159 CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61_good();
160 printLine("Finished good()");
161#endif /* OMITGOOD */
162#ifndef OMITBAD
163 printLine("Calling bad()...");
164 CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fgets_61_bad();
165 printLine("Finished bad()");
166#endif /* OMITBAD */
167 return 0;
168}
169
170#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1552: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_18.c

Nodes: 19 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_18.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-18.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: loop
12 * BadSink : Copy twoIntsStruct array to data using a loop
13 * Flow Variant: 18 Control flow: goto statements
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_18_bad()
22{
23 twoIntsStruct * data;
24 twoIntsStruct dataBadBuffer[50];
25 twoIntsStruct dataGoodBuffer[100];
26 goto source;
27source:
28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
29 * buffer in various memory copying functions using a "large" source buffer. */
30 data = dataBadBuffer;
31 {
32 twoIntsStruct source[100];
33 {
34 size_t i;
35 /* Initialize array */
36 for (i = 0; i < 100; i++)
37 {
38 source[i].intOne = 0;
39 source[i].intTwo = 0;
40 }
41 }
42 {
43 size_t i;
44 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
45 for (i = 0; i < 100; i++)
46 {
47 data[i] = source[i];❗VULN
48 }
49 printStructLine(&data[0]);
50 }
51 }
52}
53
54#endif /* OMITBAD */
55
56#ifndef OMITGOOD
57
58/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
59static void goodG2B()
60{
61 twoIntsStruct * data;
62 twoIntsStruct dataBadBuffer[50];
63 twoIntsStruct dataGoodBuffer[100];
64 goto source;
65source:
66 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
67 data = dataGoodBuffer;
68 {
69 twoIntsStruct source[100];
70 {
71 size_t i;
72 /* Initialize array */
73 for (i = 0; i < 100; i++)
74 {
75 source[i].intOne = 0;
76 source[i].intTwo = 0;
77 }
78 }
79 {
80 size_t i;
81 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
82 for (i = 0; i < 100; i++)
83 {
84 data[i] = source[i];
85 }
86 printStructLine(&data[0]);
87 }
88 }
89}
90
91void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_18_good()
92{
93 goodG2B();
94}
95
96#endif /* OMITGOOD */
97
98/* Below is the main(). It is only used when building this testcase on
99 * its own for testing or for building a binary to use in testing binary
100 * analysis tools. It is not used when compiling all the testcases as one
101 * application, which is how source code analysis tools are tested.
102 */
103
104#ifdef INCLUDEMAIN
105
106int main(int argc, char * argv[])
107{
108 /* seed randomness */
109 srand( (unsigned)time(NULL) );
110#ifndef OMITGOOD
111 printLine("Calling good()...");
112 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_18_good();
113 printLine("Finished good()");
114#endif /* OMITGOOD */
115#ifndef OMITBAD
116 printLine("Calling bad()...");
117 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_loop_18_bad();
118 printLine("Finished bad()");
119#endif /* OMITBAD */
120 return 0;
121}
122
123#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6010: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_memmove_18.c

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_memmove_18.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-18.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: memmove
12 * BadSink : Copy string to data using memmove
13 * Flow Variant: 18 Control flow: goto statements
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_memmove_18_bad()
24{
25 char * data;
26 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
27 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
28 goto source;
29source:
30 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
31 * buffer in various memory copying functions using a "large" source buffer. */
32 data = dataBadBuffer;
33 data[0] = '\0'; /* null terminate */
34 {
35 char source[100];
36 memset(source, 'C', 100-1); /* fill with 'C's */
37 source[100-1] = '\0'; /* null terminate */
38 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
39 memmove(data, source, 100*sizeof(char));❗VULN
40 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
41 printLine(data);
42 }
43}
44
45#endif /* OMITBAD */
46
47#ifndef OMITGOOD
48
49/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
50static void goodG2B()
51{
52 char * data;
53 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
54 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
55 goto source;
56source:
57 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
58 data = dataGoodBuffer;
59 data[0] = '\0'; /* null terminate */
60 {
61 char source[100];
62 memset(source, 'C', 100-1); /* fill with 'C's */
63 source[100-1] = '\0'; /* null terminate */
64 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
65 memmove(data, source, 100*sizeof(char));
66 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
67 printLine(data);
68 }
69}
70
71void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_memmove_18_good()
72{
73 goodG2B();
74}
75
76#endif /* OMITGOOD */
77
78/* Below is the main(). It is only used when building this testcase on
79 * its own for testing or for building a binary to use in testing binary
80 * analysis tools. It is not used when compiling all the testcases as one
81 * application, which is how source code analysis tools are tested.
82 */
83
84#ifdef INCLUDEMAIN
85
86int main(int argc, char * argv[])
87{
88 /* seed randomness */
89 srand( (unsigned)time(NULL) );
90#ifndef OMITGOOD
91 printLine("Calling good()...");
92 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_memmove_18_good();
93 printLine("Finished good()");
94#endif /* OMITGOOD */
95#ifndef OMITBAD
96 printLine("Calling bad()...");
97 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_memmove_18_bad();
98 printLine("Finished bad()");
99#endif /* OMITBAD */
100 return 0;
101}
102
103#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8393: CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_alloca_memmove_17.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_alloca_memmove_17.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-17.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: memmove
12 * BadSink : Copy int64_t array to data using memmove
13 * Flow Variant: 17 Control flow: for loops
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_alloca_memmove_17_bad()
22{
23 int i;
24 int64_t * data;
25 int64_t * dataBadBuffer = (int64_t *)ALLOCA(50*sizeof(int64_t));
26 int64_t * dataGoodBuffer = (int64_t *)ALLOCA(100*sizeof(int64_t));
27 for(i = 0; i < 1; i++)
28 {
29 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
30 * buffer in various memory copying functions using a "large" source buffer. */
31 data = dataBadBuffer;
32 }
33 {
34 int64_t source[100] = {0}; /* fill with 0's */
35 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
36 memmove(data, source, 100*sizeof(int64_t));❗VULN
37 printLongLongLine(data[0]);
38 }
39}
40
41#endif /* OMITBAD */
42
43#ifndef OMITGOOD
44
45/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */
46static void goodG2B()
47{
48 int h;
49 int64_t * data;
50 int64_t * dataBadBuffer = (int64_t *)ALLOCA(50*sizeof(int64_t));
51 int64_t * dataGoodBuffer = (int64_t *)ALLOCA(100*sizeof(int64_t));
52 for(h = 0; h < 1; h++)
53 {
54 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
55 data = dataGoodBuffer;
56 }
57 {
58 int64_t source[100] = {0}; /* fill with 0's */
59 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
60 memmove(data, source, 100*sizeof(int64_t));
61 printLongLongLine(data[0]);
62 }
63}
64
65void CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_alloca_memmove_17_good()
66{
67 goodG2B();
68}
69
70#endif /* OMITGOOD */
71
72/* Below is the main(). It is only used when building this testcase on
73 * its own for testing or for building a binary to use in testing binary
74 * analysis tools. It is not used when compiling all the testcases as one
75 * application, which is how source code analysis tools are tested.
76 */
77
78#ifdef INCLUDEMAIN
79
80int main(int argc, char * argv[])
81{
82 /* seed randomness */
83 srand( (unsigned)time(NULL) );
84#ifndef OMITGOOD
85 printLine("Calling good()...");
86 CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_alloca_memmove_17_good();
87 printLine("Finished good()");
88#endif /* OMITGOOD */
89#ifndef OMITBAD
90 printLine("Calling bad()...");
91 CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_alloca_memmove_17_bad();
92 printLine("Finished bad()");
93#endif /* OMITBAD */
94 return 0;
95}
96
97#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 63: CWE124_Buffer_Underwrite__char_declare_loop_02.c

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__char_declare_loop_02.c
3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml
4Template File: sources-sink-02.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy string to data using a loop
13 * Flow Variant: 02 Control flow: if(1) and if(0)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE124_Buffer_Underwrite__char_declare_loop_02_bad()
24{
25 char * data;
26 char dataBuffer[100];
27 memset(dataBuffer, 'A', 100-1);
28 dataBuffer[100-1] = '\0';
29 if(1)
30 {
31 /* FLAW: Set data pointer to before the allocated memory buffer */
32 data = dataBuffer - 8;
33 }
34 {
35 size_t i;
36 char source[100];
37 memset(source, 'C', 100-1); /* fill with 'C's */
38 source[100-1] = '\0'; /* null terminate */
39 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
40 for (i = 0; i < 100; i++)
41 {
42 data[i] = source[i];❗VULN
43 }
44 /* Ensure the destination buffer is null terminated */
45 data[100-1] = '\0';
46 printLine(data);
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */
55static void goodG2B1()
56{
57 char * data;
58 char dataBuffer[100];
59 memset(dataBuffer, 'A', 100-1);
60 dataBuffer[100-1] = '\0';
61 if(0)
62 {
63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
64 printLine("Benign, fixed string");
65 }
66 else
67 {
68 /* FIX: Set data pointer to the allocated memory buffer */
69 data = dataBuffer;
70 }
71 {
72 size_t i;
73 char source[100];
74 memset(source, 'C', 100-1); /* fill with 'C's */
75 source[100-1] = '\0'; /* null terminate */
76 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
77 for (i = 0; i < 100; i++)
78 {
79 data[i] = source[i];
80 }
81 /* Ensure the destination buffer is null terminated */
82 data[100-1] = '\0';
83 printLine(data);
84 }
85}
86
87/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
88static void goodG2B2()
89{
90 char * data;
91 char dataBuffer[100];
92 memset(dataBuffer, 'A', 100-1);
93 dataBuffer[100-1] = '\0';
94 if(1)
95 {
96 /* FIX: Set data pointer to the allocated memory buffer */
97 data = dataBuffer;
98 }
99 {
100 size_t i;
101 char source[100];
102 memset(source, 'C', 100-1); /* fill with 'C's */
103 source[100-1] = '\0'; /* null terminate */
104 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
105 for (i = 0; i < 100; i++)
106 {
107 data[i] = source[i];
108 }
109 /* Ensure the destination buffer is null terminated */
110 data[100-1] = '\0';
111 printLine(data);
112 }
113}
114
115void CWE124_Buffer_Underwrite__char_declare_loop_02_good()
116{
117 goodG2B1();
118 goodG2B2();
119}
120
121#endif /* OMITGOOD */
122
123/* Below is the main(). It is only used when building this testcase on
124 * its own for testing or for building a binary to use in testing binary
125 * analysis tools. It is not used when compiling all the testcases as one
126 * application, which is how source code analysis tools are tested.
127 */
128
129#ifdef INCLUDEMAIN
130
131int main(int argc, char * argv[])
132{
133 /* seed randomness */
134 srand( (unsigned)time(NULL) );
135#ifndef OMITGOOD
136 printLine("Calling good()...");
137 CWE124_Buffer_Underwrite__char_declare_loop_02_good();
138 printLine("Finished good()");
139#endif /* OMITGOOD */
140#ifndef OMITBAD
141 printLine("Calling bad()...");
142 CWE124_Buffer_Underwrite__char_declare_loop_02_bad();
143 printLine("Finished bad()");
144#endif /* OMITBAD */
145 return 0;
146}
147
148#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9440: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_memcpy_16.cpp

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_memcpy_16.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml
4Template File: sources-sink-16.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 16 Control flow: while(1)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_memcpy_16
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 char * data;
29 data = new char[100];
30 while(1)
31 {
32 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
33 memset(data, 'A', 100-1); /* fill with 'A's */
34 data[100-1] = '\0'; /* null terminate */
35 break;
36 }
37 {
38 char dest[50] = "";
39 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
40 memcpy(dest, data, strlen(data)*sizeof(char));❗VULN
41 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
42 printLine(data);
43 delete [] data;
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */
52static void goodG2B()
53{
54 char * data;
55 data = new char[100];
56 while(1)
57 {
58 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
59 memset(data, 'A', 50-1); /* fill with 'A's */
60 data[50-1] = '\0'; /* null terminate */
61 break;
62 }
63 {
64 char dest[50] = "";
65 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
66 memcpy(dest, data, strlen(data)*sizeof(char));
67 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
68 printLine(data);
69 delete [] data;
70 }
71}
72
73void good()
74{
75 goodG2B();
76}
77
78#endif /* OMITGOOD */
79
80} /* close namespace */
81
82/* Below is the main(). It is only used when building this testcase on
83 its own for testing or for building a binary to use in testing binary
84 analysis tools. It is not used when compiling all the testcases as one
85 application, which is how source code analysis tools are tested. */
86
87#ifdef INCLUDEMAIN
88
89using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_memcpy_16; /* so that we can use good and bad easily */
90
91int main(int argc, char * argv[])
92{
93 /* seed randomness */
94 srand( (unsigned)time(NULL) );
95#ifndef OMITGOOD
96 printLine("Calling good()...");
97 good();
98 printLine("Finished good()");
99#endif /* OMITGOOD */
100#ifndef OMITBAD
101 printLine("Calling bad()...");
102 bad();
103 printLine("Finished bad()");
104#endif /* OMITBAD */
105 return 0;
106}
107
108#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2443: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memcpy_12.cpp

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memcpy_12.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.label.xml
4Template File: sources-sink-12.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: memcpy
12 * BadSink : Copy int64_t array to data using memcpy
13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memcpy_12
20{
21
22#ifndef OMITBAD
23
24void bad()
25{
26 int64_t * data;
27 data = NULL;
28 if(globalReturnsTrueOrFalse())
29 {
30 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
31 data = new int64_t[50];
32 }
33 else
34 {
35 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
36 data = new int64_t[100];
37 }
38 {
39 int64_t source[100] = {0}; /* fill with 0's */
40 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
41 memcpy(data, source, 100*sizeof(int64_t));❗VULN
42 printLongLongLine(data[0]);
43 delete [] data;
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B() - use goodsource and badsink by changing the "if" so that
52 both branches use the GoodSource */
53static void goodG2B()
54{
55 int64_t * data;
56 data = NULL;
57 if(globalReturnsTrueOrFalse())
58 {
59 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
60 data = new int64_t[100];
61 }
62 else
63 {
64 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
65 data = new int64_t[100];
66 }
67 {
68 int64_t source[100] = {0}; /* fill with 0's */
69 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
70 memcpy(data, source, 100*sizeof(int64_t));
71 printLongLongLine(data[0]);
72 delete [] data;
73 }
74}
75
76void good()
77{
78 goodG2B();
79}
80
81#endif /* OMITGOOD */
82
83} /* close namespace */
84
85/* Below is the main(). It is only used when building this testcase on
86 its own for testing or for building a binary to use in testing binary
87 analysis tools. It is not used when compiling all the testcases as one
88 application, which is how source code analysis tools are tested. */
89
90#ifdef INCLUDEMAIN
91
92using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memcpy_12; /* so that we can use good and bad easily */
93
94int main(int argc, char * argv[])
95{
96 /* seed randomness */
97 srand( (unsigned)time(NULL) );
98#ifndef OMITGOOD
99 printLine("Calling good()...");
100 good();
101 printLine("Finished good()");
102#endif /* OMITGOOD */
103#ifndef OMITBAD
104 printLine("Calling bad()...");
105 bad();
106 printLine("Finished bad()");
107#endif /* OMITBAD */
108 return 0;
109}
110
111#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6201: CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_04.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_04.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE131.label.xml
4Template File: sources-sink-04.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory without using sizeof(int)
10 * GoodSource: Allocate memory using sizeof(int)
11 * Sink: memmove
12 * BadSink : Copy array to data using memmove()
13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19/* The two variables below are declared "const", so a tool should
20 * be able to identify that reads of these will always return their
21 * initialized values.
22 */
23static const int STATIC_CONST_TRUE = 1; /* true */
24static const int STATIC_CONST_FALSE = 0; /* false */
25
26#ifndef OMITBAD
27
28void CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_04_bad()
29{
30 int * data;
31 data = NULL;
32 if(STATIC_CONST_TRUE)
33 {
34 /* FLAW: Allocate memory without using sizeof(int) */
35 data = (int *)malloc(10);
36 if (data == NULL) {exit(-1);}
37 }
38 {
39 int source[10] = {0};
40 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
41 memmove(data, source, 10*sizeof(int));❗VULN
42 printIntLine(data[0]);
43 free(data);
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */
52static void goodG2B1()
53{
54 int * data;
55 data = NULL;
56 if(STATIC_CONST_FALSE)
57 {
58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
59 printLine("Benign, fixed string");
60 }
61 else
62 {
63 /* FIX: Allocate memory using sizeof(int) */
64 data = (int *)malloc(10*sizeof(int));
65 if (data == NULL) {exit(-1);}
66 }
67 {
68 int source[10] = {0};
69 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
70 memmove(data, source, 10*sizeof(int));
71 printIntLine(data[0]);
72 free(data);
73 }
74}
75
76/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
77static void goodG2B2()
78{
79 int * data;
80 data = NULL;
81 if(STATIC_CONST_TRUE)
82 {
83 /* FIX: Allocate memory using sizeof(int) */
84 data = (int *)malloc(10*sizeof(int));
85 if (data == NULL) {exit(-1);}
86 }
87 {
88 int source[10] = {0};
89 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
90 memmove(data, source, 10*sizeof(int));
91 printIntLine(data[0]);
92 free(data);
93 }
94}
95
96void CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_04_good()
97{
98 goodG2B1();
99 goodG2B2();
100}
101
102#endif /* OMITGOOD */
103
104/* Below is the main(). It is only used when building this testcase on
105 * its own for testing or for building a binary to use in testing binary
106 * analysis tools. It is not used when compiling all the testcases as one
107 * application, which is how source code analysis tools are tested.
108 */
109
110#ifdef INCLUDEMAIN
111
112int main(int argc, char * argv[])
113{
114 /* seed randomness */
115 srand( (unsigned)time(NULL) );
116#ifndef OMITGOOD
117 printLine("Calling good()...");
118 CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_04_good();
119 printLine("Finished good()");
120#endif /* OMITGOOD */
121#ifndef OMITBAD
122 printLine("Calling bad()...");
123 CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_04_bad();
124 printLine("Finished bad()");
125#endif /* OMITBAD */
126 return 0;
127}
128
129#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2756: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_68b.cpp

Nodes: 6 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_68b.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml
4Template File: sources-sink-68b.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: ncpy
12 * BadSink : Copy data to string using strncpy
13 * Flow Variant: 68 Data flow: data passed as a global variable from one function to another in different source files
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21extern char * CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_68_badData;
22extern char * CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_68_goodG2BData;
23
24namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_68
25{
26
27/* all the sinks are the same, we just want to know where the hit originated if a tool flags one */
28
29#ifndef OMITBAD
30
31void badSink()
32{
33 char * data = CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_68_badData;
34 {
35 char dest[50] = "";
36 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
37 strncpy(dest, data, strlen(data));❗VULN
38 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
39 printLine(data);
40 delete [] data;
41 }
42}
43
44#endif /* OMITBAD */
45
46#ifndef OMITGOOD
47
48/* goodG2B uses the GoodSource with the BadSink */
49void goodG2BSink()
50{
51 char * data = CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_68_goodG2BData;
52 {
53 char dest[50] = "";
54 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
55 strncpy(dest, data, strlen(data));
56 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
57 printLine(data);
58 delete [] data;
59 }
60}
61
62#endif /* OMITGOOD */
63
64} /* close namespace */

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4238: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_33.cpp

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_33.cpp
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-33.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sinks: memmove
12 * BadSink : Copy twoIntsStruct array to data using memmove
13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19namespace CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_33
20{
21
22#ifndef OMITBAD
23
24void bad()
25{
26 twoIntsStruct * data;
27 twoIntsStruct * &dataRef = data;
28 twoIntsStruct dataBadBuffer[50];
29 twoIntsStruct dataGoodBuffer[100];
30 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
31 * buffer in various memory copying functions using a "large" source buffer. */
32 data = dataBadBuffer;
33 {
34 twoIntsStruct * data = dataRef;
35 {
36 twoIntsStruct source[100];
37 {
38 size_t i;
39 /* Initialize array */
40 for (i = 0; i < 100; i++)
41 {
42 source[i].intOne = 0;
43 source[i].intTwo = 0;
44 }
45 }
46 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
47 memmove(data, source, 100*sizeof(twoIntsStruct));❗VULN
48 printStructLine(&data[0]);
49 }
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B() uses the GoodSource with the BadSink */
58static void goodG2B()
59{
60 twoIntsStruct * data;
61 twoIntsStruct * &dataRef = data;
62 twoIntsStruct dataBadBuffer[50];
63 twoIntsStruct dataGoodBuffer[100];
64 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
65 data = dataGoodBuffer;
66 {
67 twoIntsStruct * data = dataRef;
68 {
69 twoIntsStruct source[100];
70 {
71 size_t i;
72 /* Initialize array */
73 for (i = 0; i < 100; i++)
74 {
75 source[i].intOne = 0;
76 source[i].intTwo = 0;
77 }
78 }
79 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
80 memmove(data, source, 100*sizeof(twoIntsStruct));
81 printStructLine(&data[0]);
82 }
83 }
84}
85
86void good()
87{
88 goodG2B();
89}
90
91#endif /* OMITGOOD */
92
93} /* close namespace */
94
95/* Below is the main(). It is only used when building this testcase on
96 * its own for testing or for building a binary to use in testing binary
97 * analysis tools. It is not used when compiling all the testcases as one
98 * application, which is how source code analysis tools are tested.
99 */
100#ifdef INCLUDEMAIN
101
102using namespace CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_33; /* so that we can use good and bad easily */
103
104int main(int argc, char * argv[])
105{
106 /* seed randomness */
107 srand( (unsigned)time(NULL) );
108#ifndef OMITGOOD
109 printLine("Calling good()...");
110 good();
111 printLine("Finished good()");
112#endif /* OMITGOOD */
113#ifndef OMITBAD
114 printLine("Calling bad()...");
115 bad();
116 printLine("Finished bad()");
117#endif /* OMITBAD */
118 return 0;
119}
120
121#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8001: CWE122_Heap_Based_Buffer_Overflow__CWE135_15.c

Nodes: 27 | Sink Nodes: 2 predicted, 2 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE135_15.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE135.label.xml
4Template File: sources-sinks-15.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Void pointer to a wchar_t array
10 * GoodSource: Void pointer to a char array
11 * Sinks:
12 * GoodSink: Allocate memory using wcslen() and copy data
13 * BadSink : Allocate memory using strlen() and copy data
14 * Flow Variant: 15 Control flow: switch(6) and switch(7)
15 *
16 * */
17
18#include "std_testcase.h"
19
20#include <wchar.h>
21
22#ifndef OMITBAD
23
24void CWE122_Heap_Based_Buffer_Overflow__CWE135_15_bad()
25{
26 void * data;
27 data = NULL;
28 switch(6)
29 {
30 case 6:
31 {
32 wchar_t * dataBadBuffer = (wchar_t *)malloc(50*sizeof(wchar_t));
33 if (dataBadBuffer == NULL) {exit(-1);}
34 wmemset(dataBadBuffer, L'A', 50-1);
35 dataBadBuffer[50-1] = L'\0';
36 /* POTENTIAL FLAW: Set data to point to a wide string */
37 data = (void *)dataBadBuffer;
38 }
39 break;
40 default:
41 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
42 printLine("Benign, fixed string");
43 break;
44 }
45 switch(7)
46 {
47 case 7:
48 {
49 /* POTENTIAL FLAW: treating pointer as a char* when it may point to a wide string */
50 size_t dataLen = strlen((char *)data);❗VULN
51 void * dest = (void *)calloc(dataLen+1, sizeof(wchar_t));
52 if (dest == NULL) {exit(-1);}
53 (void)wcscpy(dest, data);❗VULN
54 printLine((char *)dest);
55 free(dest);
56 }
57 break;
58 default:
59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
60 printLine("Benign, fixed string");
61 break;
62 }
63}
64
65#endif /* OMITBAD */
66
67#ifndef OMITGOOD
68
69/* goodB2G1() - use badsource and goodsink by changing the second switch to switch(8) */
70static void goodB2G1()
71{
72 void * data;
73 data = NULL;
74 switch(6)
75 {
76 case 6:
77 {
78 wchar_t * dataBadBuffer = (wchar_t *)malloc(50*sizeof(wchar_t));
79 if (dataBadBuffer == NULL) {exit(-1);}
80 wmemset(dataBadBuffer, L'A', 50-1);
81 dataBadBuffer[50-1] = L'\0';
82 /* POTENTIAL FLAW: Set data to point to a wide string */
83 data = (void *)dataBadBuffer;
84 }
85 break;
86 default:
87 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
88 printLine("Benign, fixed string");
89 break;
90 }
91 switch(8)
92 {
93 case 7:
94 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
95 printLine("Benign, fixed string");
96 break;
97 default:
98 {
99 /* FIX: treating pointer like a wchar_t* */
100 size_t dataLen = wcslen((wchar_t *)data);
101 void * dest = (void *)calloc(dataLen+1, sizeof(wchar_t));
102 if (dest == NULL) {exit(-1);}
103 (void)wcscpy(dest, data);
104 printWLine((wchar_t *)dest);
105 free(dest);
106 }
107 break;
108 }
109}
110
111/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second switch */
112static void goodB2G2()
113{
114 void * data;
115 data = NULL;
116 switch(6)
117 {
118 case 6:
119 {
120 wchar_t * dataBadBuffer = (wchar_t *)malloc(50*sizeof(wchar_t));
121 if (dataBadBuffer == NULL) {exit(-1);}
122 wmemset(dataBadBuffer, L'A', 50-1);
123 dataBadBuffer[50-1] = L'\0';
124 /* POTENTIAL FLAW: Set data to point to a wide string */
125 data = (void *)dataBadBuffer;
126 }
127 break;
128 default:
129 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
130 printLine("Benign, fixed string");
131 break;
132 }
133 switch(7)
134 {
135 case 7:
136 {
137 /* FIX: treating pointer like a wchar_t* */
138 size_t dataLen = wcslen((wchar_t *)data);
139 void * dest = (void *)calloc(dataLen+1, sizeof(wchar_t));
140 if (dest == NULL) {exit(-1);}
141 (void)wcscpy(dest, data);
142 printWLine((wchar_t *)dest);
143 free(dest);
144 }
145 break;
146 default:
147 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
148 printLine("Benign, fixed string");
149 break;
150 }
151}
152
153/* goodG2B1() - use goodsource and badsink by changing the first switch to switch(5) */
154static void goodG2B1()
155{
156 void * data;
157 data = NULL;
158 switch(5)
159 {
160 case 6:
161 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
162 printLine("Benign, fixed string");
163 break;
164 default:
165 {
166 char * dataGoodBuffer = (char *)malloc(50*sizeof(char));
167 if (dataGoodBuffer == NULL) {exit(-1);}
168 memset(dataGoodBuffer, 'A', 50-1);
169 dataGoodBuffer[50-1] = '\0';
170 /* FIX: Set data to point to a char string */
171 data = (void *)dataGoodBuffer;
172 }
173 break;
174 }
175 switch(7)
176 {
177 case 7:
178 {
179 /* POTENTIAL FLAW: treating pointer as a char* when it may point to a wide string */
180 size_t dataLen = strlen((char *)data);
181 void * dest = (void *)calloc(dataLen+1, 1);
182 if (dest == NULL) {exit(-1);}
183 (void)strcpy(dest, data);
184 printLine((char *)dest);
185 free(dest);
186 }
187 break;
188 default:
189 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
190 printLine("Benign, fixed string");
191 break;
192 }
193}
194
195/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first switch */
196static void goodG2B2()
197{
198 void * data;
199 data = NULL;
200 switch(6)
201 {
202 case 6:
203 {
204 char * dataGoodBuffer = (char *)malloc(50*sizeof(char));
205 if (dataGoodBuffer == NULL) {exit(-1);}
206 memset(dataGoodBuffer, 'A', 50-1);
207 dataGoodBuffer[50-1] = '\0';
208 /* FIX: Set data to point to a char string */
209 data = (void *)dataGoodBuffer;
210 }
211 break;
212 default:
213 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
214 printLine("Benign, fixed string");
215 break;
216 }
217 switch(7)
218 {
219 case 7:
220 {
221 /* POTENTIAL FLAW: treating pointer as a char* when it may point to a wide string */
222 size_t dataLen = strlen((char *)data);
223 void * dest = (void *)calloc(dataLen+1, 1);
224 if (dest == NULL) {exit(-1);}
225 (void)strcpy(dest, data);
226 printLine((char *)dest);
227 free(dest);
228 }
229 break;
230 default:
231 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
232 printLine("Benign, fixed string");
233 break;
234 }
235}
236
237void CWE122_Heap_Based_Buffer_Overflow__CWE135_15_good()
238{
239 goodB2G1();
240 goodB2G2();
241 goodG2B1();
242 goodG2B2();
243}
244
245#endif /* OMITGOOD */
246
247/* Below is the main(). It is only used when building this testcase on
248 its own for testing or for building a binary to use in testing binary
249 analysis tools. It is not used when compiling all the testcases as one
250 application, which is how source code analysis tools are tested. */
251
252#ifdef INCLUDEMAIN
253
254int main(int argc, char * argv[])
255{
256 /* seed randomness */
257 srand( (unsigned)time(NULL) );
258#ifndef OMITGOOD
259 printLine("Calling good()...");
260 CWE122_Heap_Based_Buffer_Overflow__CWE135_15_good();
261 printLine("Finished good()");
262#endif /* OMITGOOD */
263#ifndef OMITBAD
264 printLine("Calling bad()...");
265 CWE122_Heap_Based_Buffer_Overflow__CWE135_15_bad();
266 printLine("Finished bad()");
267#endif /* OMITBAD */
268 return 0;
269}
270
271#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1130: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_06.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_06.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-06.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: memcpy
12 * BadSink : Copy twoIntsStruct array to data using memcpy
13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19/* The variable below is declared "const", so a tool should be able
20 * to identify that reads of this will always give its initialized value. */
21static const int STATIC_CONST_FIVE = 5;
22
23#ifndef OMITBAD
24
25void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_06_bad()
26{
27 twoIntsStruct * data;
28 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));
29 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));
30 if(STATIC_CONST_FIVE==5)
31 {
32 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
33 * buffer in various memory copying functions using a "large" source buffer. */
34 data = dataBadBuffer;
35 }
36 {
37 twoIntsStruct source[100];
38 {
39 size_t i;
40 /* Initialize array */
41 for (i = 0; i < 100; i++)
42 {
43 source[i].intOne = 0;
44 source[i].intTwo = 0;
45 }
46 }
47 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
48 memcpy(data, source, 100*sizeof(twoIntsStruct));❗VULN
49 printStructLine(&data[0]);
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */
58static void goodG2B1()
59{
60 twoIntsStruct * data;
61 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));
62 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));
63 if(STATIC_CONST_FIVE!=5)
64 {
65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
66 printLine("Benign, fixed string");
67 }
68 else
69 {
70 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
71 data = dataGoodBuffer;
72 }
73 {
74 twoIntsStruct source[100];
75 {
76 size_t i;
77 /* Initialize array */
78 for (i = 0; i < 100; i++)
79 {
80 source[i].intOne = 0;
81 source[i].intTwo = 0;
82 }
83 }
84 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
85 memcpy(data, source, 100*sizeof(twoIntsStruct));
86 printStructLine(&data[0]);
87 }
88}
89
90/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
91static void goodG2B2()
92{
93 twoIntsStruct * data;
94 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));
95 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));
96 if(STATIC_CONST_FIVE==5)
97 {
98 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
99 data = dataGoodBuffer;
100 }
101 {
102 twoIntsStruct source[100];
103 {
104 size_t i;
105 /* Initialize array */
106 for (i = 0; i < 100; i++)
107 {
108 source[i].intOne = 0;
109 source[i].intTwo = 0;
110 }
111 }
112 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
113 memcpy(data, source, 100*sizeof(twoIntsStruct));
114 printStructLine(&data[0]);
115 }
116}
117
118void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_06_good()
119{
120 goodG2B1();
121 goodG2B2();
122}
123
124#endif /* OMITGOOD */
125
126/* Below is the main(). It is only used when building this testcase on
127 * its own for testing or for building a binary to use in testing binary
128 * analysis tools. It is not used when compiling all the testcases as one
129 * application, which is how source code analysis tools are tested.
130 */
131
132#ifdef INCLUDEMAIN
133
134int main(int argc, char * argv[])
135{
136 /* seed randomness */
137 srand( (unsigned)time(NULL) );
138#ifndef OMITGOOD
139 printLine("Calling good()...");
140 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_06_good();
141 printLine("Finished good()");
142#endif /* OMITGOOD */
143#ifndef OMITBAD
144 printLine("Calling bad()...");
145 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_06_bad();
146 printLine("Finished bad()");
147#endif /* OMITBAD */
148 return 0;
149}
150
151#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7847: CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fscanf_14.c

Nodes: 21 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fscanf_14.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE129.label.xml
4Template File: sources-sinks-14.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: fscanf Read data from the console using fscanf()
10 * GoodSource: Larger than zero but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the upper bound
14 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)
15 *
16 * */
17
18#include "std_testcase.h"
19
20#ifndef OMITBAD
21
22void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fscanf_14_bad()
23{
24 int data;
25 /* Initialize data */
26 data = -1;
27 if(globalFive==5)
28 {
29 /* POTENTIAL FLAW: Read data from the console using fscanf() */
30 fscanf(stdin, "%d", &data);
31 }
32 if(globalFive==5)
33 {
34 {
35 int i;
36 int * buffer = (int *)malloc(10 * sizeof(int));
37 if (buffer == NULL) {exit(-1);}
38 /* initialize buffer */
39 for (i = 0; i < 10; i++)
40 {
41 buffer[i] = 0;
42 }
43 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
44 * This code does check to see if the array index is negative */
45 if (data >= 0)
46 {
47 buffer[data] = 1;❗VULN
48 /* Print the array values */
49 for(i = 0; i < 10; i++)
50 {
51 printIntLine(buffer[i]);
52 }
53 }
54 else
55 {
56 printLine("ERROR: Array index is negative.");
57 }
58 free(buffer);
59 }
60 }
61}
62
63#endif /* OMITBAD */
64
65#ifndef OMITGOOD
66
67/* goodB2G1() - use badsource and goodsink by changing the second globalFive==5 to globalFive!=5 */
68static void goodB2G1()
69{
70 int data;
71 /* Initialize data */
72 data = -1;
73 if(globalFive==5)
74 {
75 /* POTENTIAL FLAW: Read data from the console using fscanf() */
76 fscanf(stdin, "%d", &data);
77 }
78 if(globalFive!=5)
79 {
80 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
81 printLine("Benign, fixed string");
82 }
83 else
84 {
85 {
86 int i;
87 int * buffer = (int *)malloc(10 * sizeof(int));
88 if (buffer == NULL) {exit(-1);}
89 /* initialize buffer */
90 for (i = 0; i < 10; i++)
91 {
92 buffer[i] = 0;
93 }
94 /* FIX: Properly validate the array index and prevent a buffer overflow */
95 if (data >= 0 && data < (10))
96 {
97 buffer[data] = 1;
98 /* Print the array values */
99 for(i = 0; i < 10; i++)
100 {
101 printIntLine(buffer[i]);
102 }
103 }
104 else
105 {
106 printLine("ERROR: Array index is out-of-bounds");
107 }
108 free(buffer);
109 }
110 }
111}
112
113/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */
114static void goodB2G2()
115{
116 int data;
117 /* Initialize data */
118 data = -1;
119 if(globalFive==5)
120 {
121 /* POTENTIAL FLAW: Read data from the console using fscanf() */
122 fscanf(stdin, "%d", &data);
123 }
124 if(globalFive==5)
125 {
126 {
127 int i;
128 int * buffer = (int *)malloc(10 * sizeof(int));
129 if (buffer == NULL) {exit(-1);}
130 /* initialize buffer */
131 for (i = 0; i < 10; i++)
132 {
133 buffer[i] = 0;
134 }
135 /* FIX: Properly validate the array index and prevent a buffer overflow */
136 if (data >= 0 && data < (10))
137 {
138 buffer[data] = 1;
139 /* Print the array values */
140 for(i = 0; i < 10; i++)
141 {
142 printIntLine(buffer[i]);
143 }
144 }
145 else
146 {
147 printLine("ERROR: Array index is out-of-bounds");
148 }
149 free(buffer);
150 }
151 }
152}
153
154/* goodG2B1() - use goodsource and badsink by changing the first globalFive==5 to globalFive!=5 */
155static void goodG2B1()
156{
157 int data;
158 /* Initialize data */
159 data = -1;
160 if(globalFive!=5)
161 {
162 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
163 printLine("Benign, fixed string");
164 }
165 else
166 {
167 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
168 * access an index of the array in the sink that is out-of-bounds */
169 data = 7;
170 }
171 if(globalFive==5)
172 {
173 {
174 int i;
175 int * buffer = (int *)malloc(10 * sizeof(int));
176 if (buffer == NULL) {exit(-1);}
177 /* initialize buffer */
178 for (i = 0; i < 10; i++)
179 {
180 buffer[i] = 0;
181 }
182 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
183 * This code does check to see if the array index is negative */
184 if (data >= 0)
185 {
186 buffer[data] = 1;
187 /* Print the array values */
188 for(i = 0; i < 10; i++)
189 {
190 printIntLine(buffer[i]);
191 }
192 }
193 else
194 {
195 printLine("ERROR: Array index is negative.");
196 }
197 free(buffer);
198 }
199 }
200}
201
202/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */
203static void goodG2B2()
204{
205 int data;
206 /* Initialize data */
207 data = -1;
208 if(globalFive==5)
209 {
210 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
211 * access an index of the array in the sink that is out-of-bounds */
212 data = 7;
213 }
214 if(globalFive==5)
215 {
216 {
217 int i;
218 int * buffer = (int *)malloc(10 * sizeof(int));
219 if (buffer == NULL) {exit(-1);}
220 /* initialize buffer */
221 for (i = 0; i < 10; i++)
222 {
223 buffer[i] = 0;
224 }
225 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
226 * This code does check to see if the array index is negative */
227 if (data >= 0)
228 {
229 buffer[data] = 1;
230 /* Print the array values */
231 for(i = 0; i < 10; i++)
232 {
233 printIntLine(buffer[i]);
234 }
235 }
236 else
237 {
238 printLine("ERROR: Array index is negative.");
239 }
240 free(buffer);
241 }
242 }
243}
244
245void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fscanf_14_good()
246{
247 goodB2G1();
248 goodB2G2();
249 goodG2B1();
250 goodG2B2();
251}
252
253#endif /* OMITGOOD */
254
255/* Below is the main(). It is only used when building this testcase on
256 its own for testing or for building a binary to use in testing binary
257 analysis tools. It is not used when compiling all the testcases as one
258 application, which is how source code analysis tools are tested. */
259
260#ifdef INCLUDEMAIN
261
262int main(int argc, char * argv[])
263{
264 /* seed randomness */
265 srand( (unsigned)time(NULL) );
266#ifndef OMITGOOD
267 printLine("Calling good()...");
268 CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fscanf_14_good();
269 printLine("Finished good()");
270#endif /* OMITGOOD */
271#ifndef OMITBAD
272 printLine("Calling bad()...");
273 CWE122_Heap_Based_Buffer_Overflow__c_CWE129_fscanf_14_bad();
274 printLine("Finished bad()");
275#endif /* OMITBAD */
276 return 0;
277}
278
279#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4124: CWE124_Buffer_Underwrite__new_wchar_t_loop_21.cpp

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__new_wchar_t_loop_21.cpp
3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml
4Template File: sources-sink-21.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy string to data using a loop
13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE124_Buffer_Underwrite__new_wchar_t_loop_21
22{
23
24#ifndef OMITBAD
25
26/* The static variable below is used to drive control flow in the source function */
27static int badStatic = 0;
28
29static wchar_t * badSource(wchar_t * data)
30{
31 if(badStatic)
32 {
33 {
34 wchar_t * dataBuffer = new wchar_t[100];
35 wmemset(dataBuffer, L'A', 100-1);
36 dataBuffer[100-1] = L'\0';
37 /* FLAW: Set data pointer to before the allocated memory buffer */
38 data = dataBuffer - 8;
39 }
40 }
41 return data;
42}
43
44void bad()
45{
46 wchar_t * data;
47 data = NULL;
48 badStatic = 1; /* true */
49 data = badSource(data);
50 {
51 size_t i;
52 wchar_t source[100];
53 wmemset(source, L'C', 100-1); /* fill with 'C's */
54 source[100-1] = L'\0'; /* null terminate */
55 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
56 for (i = 0; i < 100; i++)
57 {
58 data[i] = source[i];❗VULN
59 }
60 /* Ensure the destination buffer is null terminated */
61 data[100-1] = L'\0';
62 printWLine(data);
63 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
64 * returned by new [] so can't safely call delete [] on it */
65 }
66 ;
67}
68
69#endif /* OMITBAD */
70
71#ifndef OMITGOOD
72
73/* The static variables below are used to drive control flow in the source functions. */
74static int goodG2B1Static = 0;
75static int goodG2B2Static = 0;
76
77/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */
78static wchar_t * goodG2B1Source(wchar_t * data)
79{
80 if(goodG2B1Static)
81 {
82 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
83 printLine("Benign, fixed string");
84 }
85 else
86 {
87 {
88 wchar_t * dataBuffer = new wchar_t[100];
89 wmemset(dataBuffer, L'A', 100-1);
90 dataBuffer[100-1] = L'\0';
91 /* FIX: Set data pointer to the allocated memory buffer */
92 data = dataBuffer;
93 }
94 }
95 return data;
96}
97
98static void goodG2B1()
99{
100 wchar_t * data;
101 data = NULL;
102 goodG2B1Static = 0; /* false */
103 data = goodG2B1Source(data);
104 {
105 size_t i;
106 wchar_t source[100];
107 wmemset(source, L'C', 100-1); /* fill with 'C's */
108 source[100-1] = L'\0'; /* null terminate */
109 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
110 for (i = 0; i < 100; i++)
111 {
112 data[i] = source[i];
113 }
114 /* Ensure the destination buffer is null terminated */
115 data[100-1] = L'\0';
116 printWLine(data);
117 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
118 * returned by new [] so can't safely call delete [] on it */
119 }
120 ;
121}
122
123/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */
124static wchar_t * goodG2B2Source(wchar_t * data)
125{
126 if(goodG2B2Static)
127 {
128 {
129 wchar_t * dataBuffer = new wchar_t[100];
130 wmemset(dataBuffer, L'A', 100-1);
131 dataBuffer[100-1] = L'\0';
132 /* FIX: Set data pointer to the allocated memory buffer */
133 data = dataBuffer;
134 }
135 }
136 return data;
137}
138
139static void goodG2B2()
140{
141 wchar_t * data;
142 data = NULL;
143 goodG2B2Static = 1; /* true */
144 data = goodG2B2Source(data);
145 {
146 size_t i;
147 wchar_t source[100];
148 wmemset(source, L'C', 100-1); /* fill with 'C's */
149 source[100-1] = L'\0'; /* null terminate */
150 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
151 for (i = 0; i < 100; i++)
152 {
153 data[i] = source[i];
154 }
155 /* Ensure the destination buffer is null terminated */
156 data[100-1] = L'\0';
157 printWLine(data);
158 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
159 * returned by new [] so can't safely call delete [] on it */
160 }
161 ;
162}
163
164void good()
165{
166 goodG2B1();
167 goodG2B2();
168}
169
170#endif /* OMITGOOD */
171
172} /* close namespace */
173
174/* Below is the main(). It is only used when building this testcase on
175 its own for testing or for building a binary to use in testing binary
176 analysis tools. It is not used when compiling all the testcases as one
177 application, which is how source code analysis tools are tested. */
178
179#ifdef INCLUDEMAIN
180
181using namespace CWE124_Buffer_Underwrite__new_wchar_t_loop_21; /* so that we can use good and bad easily */
182
183int main(int argc, char * argv[])
184{
185 /* seed randomness */
186 srand( (unsigned)time(NULL) );
187#ifndef OMITGOOD
188 printLine("Calling good()...");
189 good();
190 printLine("Finished good()");
191#endif /* OMITGOOD */
192#ifndef OMITBAD
193 printLine("Calling bad()...");
194 bad();
195 printLine("Finished bad()");
196#endif /* OMITBAD */
197 return 0;
198}
199
200#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6267: CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61a.c

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61a.c
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-61a.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sinks: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 61 Data flow: data returned from one function to another in different source files
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23/* bad function declaration */
24wchar_t * CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61b_badSource(wchar_t * data);
25
26void CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61_bad()
27{
28 wchar_t * data;
29 data = NULL;
30 data = CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61b_badSource(data);
31 {
32 wchar_t dest[100];
33 wmemset(dest, L'C', 100-1); /* fill with 'C's */
34 dest[100-1] = L'\0'; /* null terminate */
35 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
36 memcpy(dest, data, 100*sizeof(wchar_t));❗VULN
37 /* Ensure null termination */
38 dest[100-1] = L'\0';
39 printWLine(dest);
40 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
41 * returned by malloc() so can't safely call free() on it */
42 }
43}
44
45#endif /* OMITBAD */
46
47#ifndef OMITGOOD
48
49/* goodG2B uses the GoodSource with the BadSink */
50wchar_t * CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61b_goodG2BSource(wchar_t * data);
51
52static void goodG2B()
53{
54 wchar_t * data;
55 data = NULL;
56 data = CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61b_goodG2BSource(data);
57 {
58 wchar_t dest[100];
59 wmemset(dest, L'C', 100-1); /* fill with 'C's */
60 dest[100-1] = L'\0'; /* null terminate */
61 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
62 memcpy(dest, data, 100*sizeof(wchar_t));
63 /* Ensure null termination */
64 dest[100-1] = L'\0';
65 printWLine(dest);
66 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
67 * returned by malloc() so can't safely call free() on it */
68 }
69}
70
71void CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61_good()
72{
73 goodG2B();
74}
75
76#endif /* OMITGOOD */
77
78/* Below is the main(). It is only used when building this testcase on
79 * its own for testing or for building a binary to use in testing binary
80 * analysis tools. It is not used when compiling all the testcases as one
81 * application, which is how source code analysis tools are tested.
82 */
83
84#ifdef INCLUDEMAIN
85
86int main(int argc, char * argv[])
87{
88 /* seed randomness */
89 srand( (unsigned)time(NULL) );
90#ifndef OMITGOOD
91 printLine("Calling good()...");
92 CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61_good();
93 printLine("Finished good()");
94#endif /* OMITGOOD */
95#ifndef OMITBAD
96 printLine("Calling bad()...");
97 CWE127_Buffer_Underread__malloc_wchar_t_memcpy_61_bad();
98 printLine("Finished bad()");
99#endif /* OMITBAD */
100 return 0;
101}
102
103#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6321: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncat_04.c

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncat_04.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4Template File: sources-sink-04.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sink: ncat
12 * BadSink : Copy string to data using wcsncat
13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are declared "const", so a tool should
22 * be able to identify that reads of these will always return their
23 * initialized values.
24 */
25static const int STATIC_CONST_TRUE = 1; /* true */
26static const int STATIC_CONST_FALSE = 0; /* false */
27
28#ifndef OMITBAD
29
30void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncat_04_bad()
31{
32 wchar_t * data;
33 data = NULL;
34 if(STATIC_CONST_TRUE)
35 {
36 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
37 data = (wchar_t *)malloc(50*sizeof(wchar_t));
38 if (data == NULL) {exit(-1);}
39 data[0] = L'\0'; /* null terminate */
40 }
41 {
42 wchar_t source[100];
43 wmemset(source, L'C', 100-1); /* fill with L'C's */
44 source[100-1] = L'\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
46 wcsncat(data, source, 100);❗VULN
47 printWLine(data);
48 free(data);
49 }
50}
51
52#endif /* OMITBAD */
53
54#ifndef OMITGOOD
55
56/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */
57static void goodG2B1()
58{
59 wchar_t * data;
60 data = NULL;
61 if(STATIC_CONST_FALSE)
62 {
63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
64 printLine("Benign, fixed string");
65 }
66 else
67 {
68 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
69 data = (wchar_t *)malloc(100*sizeof(wchar_t));
70 if (data == NULL) {exit(-1);}
71 data[0] = L'\0'; /* null terminate */
72 }
73 {
74 wchar_t source[100];
75 wmemset(source, L'C', 100-1); /* fill with L'C's */
76 source[100-1] = L'\0'; /* null terminate */
77 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
78 wcsncat(data, source, 100);
79 printWLine(data);
80 free(data);
81 }
82}
83
84/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
85static void goodG2B2()
86{
87 wchar_t * data;
88 data = NULL;
89 if(STATIC_CONST_TRUE)
90 {
91 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
92 data = (wchar_t *)malloc(100*sizeof(wchar_t));
93 if (data == NULL) {exit(-1);}
94 data[0] = L'\0'; /* null terminate */
95 }
96 {
97 wchar_t source[100];
98 wmemset(source, L'C', 100-1); /* fill with L'C's */
99 source[100-1] = L'\0'; /* null terminate */
100 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
101 wcsncat(data, source, 100);
102 printWLine(data);
103 free(data);
104 }
105}
106
107void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncat_04_good()
108{
109 goodG2B1();
110 goodG2B2();
111}
112
113#endif /* OMITGOOD */
114
115/* Below is the main(). It is only used when building this testcase on
116 * its own for testing or for building a binary to use in testing binary
117 * analysis tools. It is not used when compiling all the testcases as one
118 * application, which is how source code analysis tools are tested.
119 */
120
121#ifdef INCLUDEMAIN
122
123int main(int argc, char * argv[])
124{
125 /* seed randomness */
126 srand( (unsigned)time(NULL) );
127#ifndef OMITGOOD
128 printLine("Calling good()...");
129 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncat_04_good();
130 printLine("Finished good()");
131#endif /* OMITGOOD */
132#ifndef OMITBAD
133 printLine("Calling bad()...");
134 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncat_04_bad();
135 printLine("Finished bad()");
136#endif /* OMITBAD */
137 return 0;
138}
139
140#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1972: CWE126_Buffer_Overread__new_char_memmove_06.cpp

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__new_char_memmove_06.cpp
3Label Definition File: CWE126_Buffer_Overread__new.label.xml
4Template File: sources-sink-06.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Use a small buffer
10 * GoodSource: Use a large buffer
11 * Sink: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is declared "const", so a tool should be able
22 to identify that reads of this will always give its initialized
23 value. */
24static const int STATIC_CONST_FIVE = 5;
25
26namespace CWE126_Buffer_Overread__new_char_memmove_06
27{
28
29#ifndef OMITBAD
30
31void bad()
32{
33 char * data;
34 data = NULL;
35 if(STATIC_CONST_FIVE==5)
36 {
37 /* FLAW: Use a small buffer */
38 data = new char[50];
39 memset(data, 'A', 50-1); /* fill with 'A's */
40 data[50-1] = '\0'; /* null terminate */
41 }
42 {
43 char dest[100];
44 memset(dest, 'C', 100-1);
45 dest[100-1] = '\0'; /* null terminate */
46 /* POTENTIAL FLAW: using memmove with the length of the dest where data
47 * could be smaller than dest causing buffer overread */
48 memmove(dest, data, strlen(dest)*sizeof(char));❗VULN
49 dest[100-1] = '\0';
50 printLine(dest);
51 delete [] data;
52 }
53}
54
55#endif /* OMITBAD */
56
57#ifndef OMITGOOD
58
59/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */
60static void goodG2B1()
61{
62 char * data;
63 data = NULL;
64 if(STATIC_CONST_FIVE!=5)
65 {
66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
67 printLine("Benign, fixed string");
68 }
69 else
70 {
71 /* FIX: Use a large buffer */
72 data = new char[100];
73 memset(data, 'A', 100-1); /* fill with 'A's */
74 data[100-1] = '\0'; /* null terminate */
75 }
76 {
77 char dest[100];
78 memset(dest, 'C', 100-1);
79 dest[100-1] = '\0'; /* null terminate */
80 /* POTENTIAL FLAW: using memmove with the length of the dest where data
81 * could be smaller than dest causing buffer overread */
82 memmove(dest, data, strlen(dest)*sizeof(char));
83 dest[100-1] = '\0';
84 printLine(dest);
85 delete [] data;
86 }
87}
88
89/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
90static void goodG2B2()
91{
92 char * data;
93 data = NULL;
94 if(STATIC_CONST_FIVE==5)
95 {
96 /* FIX: Use a large buffer */
97 data = new char[100];
98 memset(data, 'A', 100-1); /* fill with 'A's */
99 data[100-1] = '\0'; /* null terminate */
100 }
101 {
102 char dest[100];
103 memset(dest, 'C', 100-1);
104 dest[100-1] = '\0'; /* null terminate */
105 /* POTENTIAL FLAW: using memmove with the length of the dest where data
106 * could be smaller than dest causing buffer overread */
107 memmove(dest, data, strlen(dest)*sizeof(char));
108 dest[100-1] = '\0';
109 printLine(dest);
110 delete [] data;
111 }
112}
113
114void good()
115{
116 goodG2B1();
117 goodG2B2();
118}
119
120#endif /* OMITGOOD */
121
122} /* close namespace */
123
124/* Below is the main(). It is only used when building this testcase on
125 its own for testing or for building a binary to use in testing binary
126 analysis tools. It is not used when compiling all the testcases as one
127 application, which is how source code analysis tools are tested. */
128
129#ifdef INCLUDEMAIN
130
131using namespace CWE126_Buffer_Overread__new_char_memmove_06; /* so that we can use good and bad easily */
132
133int main(int argc, char * argv[])
134{
135 /* seed randomness */
136 srand( (unsigned)time(NULL) );
137#ifndef OMITGOOD
138 printLine("Calling good()...");
139 good();
140 printLine("Finished good()");
141#endif /* OMITGOOD */
142#ifndef OMITBAD
143 printLine("Calling bad()...");
144 bad();
145 printLine("Finished bad()");
146#endif /* OMITBAD */
147 return 0;
148}
149
150#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 429: CWE127_Buffer_Underread__malloc_wchar_t_loop_68b.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_wchar_t_loop_68b.c
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-68b.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 68 Data flow: data passed as a global variable from one function to another in different source files
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21extern wchar_t * CWE127_Buffer_Underread__malloc_wchar_t_loop_68_badData;
22extern wchar_t * CWE127_Buffer_Underread__malloc_wchar_t_loop_68_goodG2BData;
23
24/* all the sinks are the same, we just want to know where the hit originated if a tool flags one */
25
26#ifndef OMITBAD
27
28void CWE127_Buffer_Underread__malloc_wchar_t_loop_68b_badSink()
29{
30 wchar_t * data = CWE127_Buffer_Underread__malloc_wchar_t_loop_68_badData;
31 {
32 size_t i;
33 wchar_t dest[100];
34 wmemset(dest, L'C', 100-1); /* fill with 'C's */
35 dest[100-1] = L'\0'; /* null terminate */
36 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
37 for (i = 0; i < 100; i++)
38 {
39 dest[i] = data[i];❗VULN
40 }
41 /* Ensure null termination */
42 dest[100-1] = L'\0';
43 printWLine(dest);
44 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
45 * returned by malloc() so can't safely call free() on it */
46 }
47}
48
49#endif /* OMITBAD */
50
51#ifndef OMITGOOD
52
53/* goodG2B uses the GoodSource with the BadSink */
54void CWE127_Buffer_Underread__malloc_wchar_t_loop_68b_goodG2BSink()
55{
56 wchar_t * data = CWE127_Buffer_Underread__malloc_wchar_t_loop_68_goodG2BData;
57 {
58 size_t i;
59 wchar_t dest[100];
60 wmemset(dest, L'C', 100-1); /* fill with 'C's */
61 dest[100-1] = L'\0'; /* null terminate */
62 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
63 for (i = 0; i < 100; i++)
64 {
65 dest[i] = data[i];
66 }
67 /* Ensure null termination */
68 dest[100-1] = L'\0';
69 printWLine(dest);
70 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
71 * returned by malloc() so can't safely call free() on it */
72 }
73}
74
75#endif /* OMITGOOD */

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8678: CWE124_Buffer_Underwrite__new_wchar_t_memcpy_04.cpp

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__new_wchar_t_memcpy_04.cpp
3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml
4Template File: sources-sink-04.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memcpy
12 * BadSink : Copy string to data using memcpy
13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are declared "const", so a tool should
22 be able to identify that reads of these will always return their
23 initialized values. */
24static const int STATIC_CONST_TRUE = 1; /* true */
25static const int STATIC_CONST_FALSE = 0; /* false */
26
27namespace CWE124_Buffer_Underwrite__new_wchar_t_memcpy_04
28{
29
30#ifndef OMITBAD
31
32void bad()
33{
34 wchar_t * data;
35 data = NULL;
36 if(STATIC_CONST_TRUE)
37 {
38 {
39 wchar_t * dataBuffer = new wchar_t[100];
40 wmemset(dataBuffer, L'A', 100-1);
41 dataBuffer[100-1] = L'\0';
42 /* FLAW: Set data pointer to before the allocated memory buffer */
43 data = dataBuffer - 8;
44 }
45 }
46 {
47 wchar_t source[100];
48 wmemset(source, L'C', 100-1); /* fill with 'C's */
49 source[100-1] = L'\0'; /* null terminate */
50 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
51 memcpy(data, source, 100*sizeof(wchar_t));❗VULN
52 /* Ensure the destination buffer is null terminated */
53 data[100-1] = L'\0';
54 printWLine(data);
55 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
56 * returned by new [] so can't safely call delete [] on it */
57 }
58}
59
60#endif /* OMITBAD */
61
62#ifndef OMITGOOD
63
64/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */
65static void goodG2B1()
66{
67 wchar_t * data;
68 data = NULL;
69 if(STATIC_CONST_FALSE)
70 {
71 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
72 printLine("Benign, fixed string");
73 }
74 else
75 {
76 {
77 wchar_t * dataBuffer = new wchar_t[100];
78 wmemset(dataBuffer, L'A', 100-1);
79 dataBuffer[100-1] = L'\0';
80 /* FIX: Set data pointer to the allocated memory buffer */
81 data = dataBuffer;
82 }
83 }
84 {
85 wchar_t source[100];
86 wmemset(source, L'C', 100-1); /* fill with 'C's */
87 source[100-1] = L'\0'; /* null terminate */
88 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
89 memcpy(data, source, 100*sizeof(wchar_t));
90 /* Ensure the destination buffer is null terminated */
91 data[100-1] = L'\0';
92 printWLine(data);
93 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
94 * returned by new [] so can't safely call delete [] on it */
95 }
96}
97
98/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
99static void goodG2B2()
100{
101 wchar_t * data;
102 data = NULL;
103 if(STATIC_CONST_TRUE)
104 {
105 {
106 wchar_t * dataBuffer = new wchar_t[100];
107 wmemset(dataBuffer, L'A', 100-1);
108 dataBuffer[100-1] = L'\0';
109 /* FIX: Set data pointer to the allocated memory buffer */
110 data = dataBuffer;
111 }
112 }
113 {
114 wchar_t source[100];
115 wmemset(source, L'C', 100-1); /* fill with 'C's */
116 source[100-1] = L'\0'; /* null terminate */
117 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
118 memcpy(data, source, 100*sizeof(wchar_t));
119 /* Ensure the destination buffer is null terminated */
120 data[100-1] = L'\0';
121 printWLine(data);
122 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
123 * returned by new [] so can't safely call delete [] on it */
124 }
125}
126
127void good()
128{
129 goodG2B1();
130 goodG2B2();
131}
132
133#endif /* OMITGOOD */
134
135} /* close namespace */
136
137/* Below is the main(). It is only used when building this testcase on
138 its own for testing or for building a binary to use in testing binary
139 analysis tools. It is not used when compiling all the testcases as one
140 application, which is how source code analysis tools are tested. */
141
142#ifdef INCLUDEMAIN
143
144using namespace CWE124_Buffer_Underwrite__new_wchar_t_memcpy_04; /* so that we can use good and bad easily */
145
146int main(int argc, char * argv[])
147{
148 /* seed randomness */
149 srand( (unsigned)time(NULL) );
150#ifndef OMITGOOD
151 printLine("Calling good()...");
152 good();
153 printLine("Finished good()");
154#endif /* OMITGOOD */
155#ifndef OMITBAD
156 printLine("Calling bad()...");
157 bad();
158 printLine("Finished bad()");
159#endif /* OMITBAD */
160 return 0;
161}
162
163#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9358: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_02.cpp

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_02.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml
4Template File: sources-sink-02.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: ncat
12 * BadSink : Copy string to data using wcsncat
13 * Flow Variant: 02 Control flow: if(1) and if(0)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_02
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 wchar_t * data;
29 data = NULL;
30 if(1)
31 {
32 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
33 data = new wchar_t[50];
34 data[0] = L'\0'; /* null terminate */
35 }
36 {
37 wchar_t source[100];
38 wmemset(source, L'C', 100-1); /* fill with L'C's */
39 source[100-1] = L'\0'; /* null terminate */
40 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
41 wcsncat(data, source, 100);❗VULN
42 printWLine(data);
43 delete [] data;
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */
52static void goodG2B1()
53{
54 wchar_t * data;
55 data = NULL;
56 if(0)
57 {
58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
59 printLine("Benign, fixed string");
60 }
61 else
62 {
63 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
64 data = new wchar_t[100];
65 data[0] = L'\0'; /* null terminate */
66 }
67 {
68 wchar_t source[100];
69 wmemset(source, L'C', 100-1); /* fill with L'C's */
70 source[100-1] = L'\0'; /* null terminate */
71 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
72 wcsncat(data, source, 100);
73 printWLine(data);
74 delete [] data;
75 }
76}
77
78/* goodG2B2() - use goodsource and badsink by reversing the statements in the if */
79static void goodG2B2()
80{
81 wchar_t * data;
82 data = NULL;
83 if(1)
84 {
85 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
86 data = new wchar_t[100];
87 data[0] = L'\0'; /* null terminate */
88 }
89 {
90 wchar_t source[100];
91 wmemset(source, L'C', 100-1); /* fill with L'C's */
92 source[100-1] = L'\0'; /* null terminate */
93 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
94 wcsncat(data, source, 100);
95 printWLine(data);
96 delete [] data;
97 }
98}
99
100void good()
101{
102 goodG2B1();
103 goodG2B2();
104}
105
106#endif /* OMITGOOD */
107
108} /* close namespace */
109
110/* Below is the main(). It is only used when building this testcase on
111 its own for testing or for building a binary to use in testing binary
112 analysis tools. It is not used when compiling all the testcases as one
113 application, which is how source code analysis tools are tested. */
114
115#ifdef INCLUDEMAIN
116
117using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_02; /* so that we can use good and bad easily */
118
119int main(int argc, char * argv[])
120{
121 /* seed randomness */
122 srand( (unsigned)time(NULL) );
123#ifndef OMITGOOD
124 printLine("Calling good()...");
125 good();
126 printLine("Finished good()");
127#endif /* OMITGOOD */
128#ifndef OMITBAD
129 printLine("Calling bad()...");
130 bad();
131 printLine("Finished bad()");
132#endif /* OMITBAD */
133 return 0;
134}
135
136#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7763: CWE124_Buffer_Underwrite__malloc_wchar_t_loop_02.c

Nodes: 19 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__malloc_wchar_t_loop_02.c
3Label Definition File: CWE124_Buffer_Underwrite__malloc.label.xml
4Template File: sources-sink-02.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy string to data using a loop
13 * Flow Variant: 02 Control flow: if(1) and if(0)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE124_Buffer_Underwrite__malloc_wchar_t_loop_02_bad()
24{
25 wchar_t * data;
26 data = NULL;
27 if(1)
28 {
29 {
30 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
31 if (dataBuffer == NULL) {exit(-1);}
32 wmemset(dataBuffer, L'A', 100-1);
33 dataBuffer[100-1] = L'\0';
34 /* FLAW: Set data pointer to before the allocated memory buffer */
35 data = dataBuffer - 8;
36 }
37 }
38 {
39 size_t i;
40 wchar_t source[100];
41 wmemset(source, L'C', 100-1); /* fill with 'C's */
42 source[100-1] = L'\0'; /* null terminate */
43 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
44 for (i = 0; i < 100; i++)
45 {
46 data[i] = source[i];❗VULN
47 }
48 /* Ensure the destination buffer is null terminated */
49 data[100-1] = L'\0';
50 printWLine(data);
51 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
52 * returned by malloc() so can't safely call free() on it */
53 }
54}
55
56#endif /* OMITBAD */
57
58#ifndef OMITGOOD
59
60/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */
61static void goodG2B1()
62{
63 wchar_t * data;
64 data = NULL;
65 if(0)
66 {
67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
68 printLine("Benign, fixed string");
69 }
70 else
71 {
72 {
73 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
74 if (dataBuffer == NULL) {exit(-1);}
75 wmemset(dataBuffer, L'A', 100-1);
76 dataBuffer[100-1] = L'\0';
77 /* FIX: Set data pointer to the allocated memory buffer */
78 data = dataBuffer;
79 }
80 }
81 {
82 size_t i;
83 wchar_t source[100];
84 wmemset(source, L'C', 100-1); /* fill with 'C's */
85 source[100-1] = L'\0'; /* null terminate */
86 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
87 for (i = 0; i < 100; i++)
88 {
89 data[i] = source[i];
90 }
91 /* Ensure the destination buffer is null terminated */
92 data[100-1] = L'\0';
93 printWLine(data);
94 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
95 * returned by malloc() so can't safely call free() on it */
96 }
97}
98
99/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
100static void goodG2B2()
101{
102 wchar_t * data;
103 data = NULL;
104 if(1)
105 {
106 {
107 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
108 if (dataBuffer == NULL) {exit(-1);}
109 wmemset(dataBuffer, L'A', 100-1);
110 dataBuffer[100-1] = L'\0';
111 /* FIX: Set data pointer to the allocated memory buffer */
112 data = dataBuffer;
113 }
114 }
115 {
116 size_t i;
117 wchar_t source[100];
118 wmemset(source, L'C', 100-1); /* fill with 'C's */
119 source[100-1] = L'\0'; /* null terminate */
120 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
121 for (i = 0; i < 100; i++)
122 {
123 data[i] = source[i];
124 }
125 /* Ensure the destination buffer is null terminated */
126 data[100-1] = L'\0';
127 printWLine(data);
128 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
129 * returned by malloc() so can't safely call free() on it */
130 }
131}
132
133void CWE124_Buffer_Underwrite__malloc_wchar_t_loop_02_good()
134{
135 goodG2B1();
136 goodG2B2();
137}
138
139#endif /* OMITGOOD */
140
141/* Below is the main(). It is only used when building this testcase on
142 * its own for testing or for building a binary to use in testing binary
143 * analysis tools. It is not used when compiling all the testcases as one
144 * application, which is how source code analysis tools are tested.
145 */
146
147#ifdef INCLUDEMAIN
148
149int main(int argc, char * argv[])
150{
151 /* seed randomness */
152 srand( (unsigned)time(NULL) );
153#ifndef OMITGOOD
154 printLine("Calling good()...");
155 CWE124_Buffer_Underwrite__malloc_wchar_t_loop_02_good();
156 printLine("Finished good()");
157#endif /* OMITGOOD */
158#ifndef OMITBAD
159 printLine("Calling bad()...");
160 CWE124_Buffer_Underwrite__malloc_wchar_t_loop_02_bad();
161 printLine("Finished bad()");
162#endif /* OMITBAD */
163 return 0;
164}
165
166#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 300: CWE126_Buffer_Overread__CWE170_char_strncpy_11.c

Nodes: 6 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__CWE170_char_strncpy_11.c
3Label Definition File: CWE126_Buffer_Overread__CWE170.label.xml
4Template File: point-flaw-11.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Overread
9 * Sinks: strncpy
10 * GoodSink: Copy a string using strncpy() with explicit null termination
11 * BadSink : Copy a string using strncpy() without explicit null termination
12 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())
13 *
14 * */
15
16#include "std_testcase.h"
17
18#include <wchar.h>
19
20#ifndef OMITBAD
21
22void CWE126_Buffer_Overread__CWE170_char_strncpy_11_bad()
23{
24 if(globalReturnsTrue())
25 {
26 {
27 char data[150], dest[100];
28 /* Initialize data */
29 memset(data, 'A', 149);
30 data[149] = '\0';
31 /* strncpy() does not null terminate if the string in the src buffer is larger than
32 * the number of characters being copied to the dest buffer */
33 strncpy(dest, data, 99);
34 /* FLAW: do not explicitly null terminate dest after the use of strncpy() */
35 printLine(dest);❗VULN
36 }
37 }
38}
39
40#endif /* OMITBAD */
41
42#ifndef OMITGOOD
43
44/* good1() uses if(globalReturnsFalse()) instead of if(globalReturnsTrue()) */
45static void good1()
46{
47 if(globalReturnsFalse())
48 {
49 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
50 printLine("Benign, fixed string");
51 }
52 else
53 {
54 {
55 char data[150], dest[100];
56 /* Initialize data */
57 memset(data, 'A', 149);
58 data[149] = '\0';
59 /* strncpy() does not null terminate if the string in the src buffer is larger than
60 * the number of characters being copied to the dest buffer */
61 strncpy(dest, data, 99);
62 dest[99] = '\0'; /* FIX: Explicitly null terminate dest after the use of strncpy() */
63 printLine(dest);
64 }
65 }
66}
67
68/* good2() reverses the bodies in the if statement */
69static void good2()
70{
71 if(globalReturnsTrue())
72 {
73 {
74 char data[150], dest[100];
75 /* Initialize data */
76 memset(data, 'A', 149);
77 data[149] = '\0';
78 /* strncpy() does not null terminate if the string in the src buffer is larger than
79 * the number of characters being copied to the dest buffer */
80 strncpy(dest, data, 99);
81 dest[99] = '\0'; /* FIX: Explicitly null terminate dest after the use of strncpy() */
82 printLine(dest);
83 }
84 }
85}
86
87void CWE126_Buffer_Overread__CWE170_char_strncpy_11_good()
88{
89 good1();
90 good2();
91}
92
93#endif /* OMITGOOD */
94
95/* Below is the main(). It is only used when building this testcase on
96 its own for testing or for building a binary to use in testing binary
97 analysis tools. It is not used when compiling all the testcases as one
98 application, which is how source code analysis tools are tested. */
99
100#ifdef INCLUDEMAIN
101
102int main(int argc, char * argv[])
103{
104 /* seed randomness */
105 srand( (unsigned)time(NULL) );
106#ifndef OMITGOOD
107 printLine("Calling good()...");
108 CWE126_Buffer_Overread__CWE170_char_strncpy_11_good();
109 printLine("Finished good()");
110#endif /* OMITGOOD */
111#ifndef OMITBAD
112 printLine("Calling bad()...");
113 CWE126_Buffer_Overread__CWE170_char_strncpy_11_bad();
114 printLine("Finished bad()");
115#endif /* OMITBAD */
116 return 0;
117}
118
119#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9500: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_33.cpp

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_33.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml
4Template File: sources-sink-33.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 * GoodSource: Allocate enough memory for a string and the NULL terminator
11 * Sinks: memmove
12 * BadSink : Copy string to data using memmove()
13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING "AAAAAAAAAA"
25
26namespace CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_33
27{
28
29#ifndef OMITBAD
30
31void bad()
32{
33 char * data;
34 char * &dataRef = data;
35 data = NULL;
36 /* FLAW: Did not leave space for a null terminator */
37 data = (char *)malloc(10*sizeof(char));
38 if (data == NULL) {exit(-1);}
39 {
40 char * data = dataRef;
41 {
42 char source[10+1] = SRC_STRING;
43 /* Copy length + 1 to include NUL terminator from source */
44 /* POTENTIAL FLAW: data may not have enough space to hold source */
45 memmove(data, source, (strlen(source) + 1) * sizeof(char));❗VULN
46 printLine(data);
47 free(data);
48 }
49 }
50}
51
52#endif /* OMITBAD */
53
54#ifndef OMITGOOD
55
56/* goodG2B() uses the GoodSource with the BadSink */
57static void goodG2B()
58{
59 char * data;
60 char * &dataRef = data;
61 data = NULL;
62 /* FIX: Allocate space for a null terminator */
63 data = (char *)malloc((10+1)*sizeof(char));
64 if (data == NULL) {exit(-1);}
65 {
66 char * data = dataRef;
67 {
68 char source[10+1] = SRC_STRING;
69 /* Copy length + 1 to include NUL terminator from source */
70 /* POTENTIAL FLAW: data may not have enough space to hold source */
71 memmove(data, source, (strlen(source) + 1) * sizeof(char));
72 printLine(data);
73 free(data);
74 }
75 }
76}
77
78void good()
79{
80 goodG2B();
81}
82
83#endif /* OMITGOOD */
84
85} /* close namespace */
86
87/* Below is the main(). It is only used when building this testcase on
88 * its own for testing or for building a binary to use in testing binary
89 * analysis tools. It is not used when compiling all the testcases as one
90 * application, which is how source code analysis tools are tested.
91 */
92#ifdef INCLUDEMAIN
93
94using namespace CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_33; /* so that we can use good and bad easily */
95
96int main(int argc, char * argv[])
97{
98 /* seed randomness */
99 srand( (unsigned)time(NULL) );
100#ifndef OMITGOOD
101 printLine("Calling good()...");
102 good();
103 printLine("Finished good()");
104#endif /* OMITGOOD */
105#ifndef OMITBAD
106 printLine("Calling bad()...");
107 bad();
108 printLine("Finished bad()");
109#endif /* OMITBAD */
110 return 0;
111}
112
113#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7634: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncpy_04.cpp

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncpy_04.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml
4Template File: sources-sink-04.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: ncpy
12 * BadSink : Copy string to data using strncpy
13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are declared "const", so a tool should
22 be able to identify that reads of these will always return their
23 initialized values. */
24static const int STATIC_CONST_TRUE = 1; /* true */
25static const int STATIC_CONST_FALSE = 0; /* false */
26
27namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncpy_04
28{
29
30#ifndef OMITBAD
31
32void bad()
33{
34 char * data;
35 data = NULL;
36 if(STATIC_CONST_TRUE)
37 {
38 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
39 data = new char[50];
40 data[0] = '\0'; /* null terminate */
41 }
42 {
43 char source[100];
44 memset(source, 'C', 100-1); /* fill with 'C's */
45 source[100-1] = '\0'; /* null terminate */
46 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
47 strncpy(data, source, 100-1);❗VULN
48 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
49 printLine(data);
50 delete [] data;
51 }
52}
53
54#endif /* OMITBAD */
55
56#ifndef OMITGOOD
57
58/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */
59static void goodG2B1()
60{
61 char * data;
62 data = NULL;
63 if(STATIC_CONST_FALSE)
64 {
65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
66 printLine("Benign, fixed string");
67 }
68 else
69 {
70 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
71 data = new char[100];
72 data[0] = '\0'; /* null terminate */
73 }
74 {
75 char source[100];
76 memset(source, 'C', 100-1); /* fill with 'C's */
77 source[100-1] = '\0'; /* null terminate */
78 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
79 strncpy(data, source, 100-1);
80 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
81 printLine(data);
82 delete [] data;
83 }
84}
85
86/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
87static void goodG2B2()
88{
89 char * data;
90 data = NULL;
91 if(STATIC_CONST_TRUE)
92 {
93 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
94 data = new char[100];
95 data[0] = '\0'; /* null terminate */
96 }
97 {
98 char source[100];
99 memset(source, 'C', 100-1); /* fill with 'C's */
100 source[100-1] = '\0'; /* null terminate */
101 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
102 strncpy(data, source, 100-1);
103 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
104 printLine(data);
105 delete [] data;
106 }
107}
108
109void good()
110{
111 goodG2B1();
112 goodG2B2();
113}
114
115#endif /* OMITGOOD */
116
117} /* close namespace */
118
119/* Below is the main(). It is only used when building this testcase on
120 its own for testing or for building a binary to use in testing binary
121 analysis tools. It is not used when compiling all the testcases as one
122 application, which is how source code analysis tools are tested. */
123
124#ifdef INCLUDEMAIN
125
126using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncpy_04; /* so that we can use good and bad easily */
127
128int main(int argc, char * argv[])
129{
130 /* seed randomness */
131 srand( (unsigned)time(NULL) );
132#ifndef OMITGOOD
133 printLine("Calling good()...");
134 good();
135 printLine("Finished good()");
136#endif /* OMITGOOD */
137#ifndef OMITBAD
138 printLine("Calling bad()...");
139 bad();
140 printLine("Finished bad()");
141#endif /* OMITBAD */
142 return 0;
143}
144
145#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8483: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncpy_13.cpp

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncpy_13.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml
4Template File: sources-sink-13.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: ncpy
12 * BadSink : Copy string to data using strncpy
13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncpy_13
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 char * data;
29 data = NULL;
30 if(GLOBAL_CONST_FIVE==5)
31 {
32 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
33 data = new char[50];
34 data[0] = '\0'; /* null terminate */
35 }
36 {
37 char source[100];
38 memset(source, 'C', 100-1); /* fill with 'C's */
39 source[100-1] = '\0'; /* null terminate */
40 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
41 strncpy(data, source, 100-1);❗VULN
42 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
43 printLine(data);
44 delete [] data;
45 }
46}
47
48#endif /* OMITBAD */
49
50#ifndef OMITGOOD
51
52/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */
53static void goodG2B1()
54{
55 char * data;
56 data = NULL;
57 if(GLOBAL_CONST_FIVE!=5)
58 {
59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
60 printLine("Benign, fixed string");
61 }
62 else
63 {
64 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
65 data = new char[100];
66 data[0] = '\0'; /* null terminate */
67 }
68 {
69 char source[100];
70 memset(source, 'C', 100-1); /* fill with 'C's */
71 source[100-1] = '\0'; /* null terminate */
72 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
73 strncpy(data, source, 100-1);
74 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
75 printLine(data);
76 delete [] data;
77 }
78}
79
80/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
81static void goodG2B2()
82{
83 char * data;
84 data = NULL;
85 if(GLOBAL_CONST_FIVE==5)
86 {
87 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
88 data = new char[100];
89 data[0] = '\0'; /* null terminate */
90 }
91 {
92 char source[100];
93 memset(source, 'C', 100-1); /* fill with 'C's */
94 source[100-1] = '\0'; /* null terminate */
95 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
96 strncpy(data, source, 100-1);
97 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
98 printLine(data);
99 delete [] data;
100 }
101}
102
103void good()
104{
105 goodG2B1();
106 goodG2B2();
107}
108
109#endif /* OMITGOOD */
110
111} /* close namespace */
112
113/* Below is the main(). It is only used when building this testcase on
114 its own for testing or for building a binary to use in testing binary
115 analysis tools. It is not used when compiling all the testcases as one
116 application, which is how source code analysis tools are tested. */
117
118#ifdef INCLUDEMAIN
119
120using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_ncpy_13; /* so that we can use good and bad easily */
121
122int main(int argc, char * argv[])
123{
124 /* seed randomness */
125 srand( (unsigned)time(NULL) );
126#ifndef OMITGOOD
127 printLine("Calling good()...");
128 good();
129 printLine("Finished good()");
130#endif /* OMITGOOD */
131#ifndef OMITBAD
132 printLine("Calling bad()...");
133 bad();
134 printLine("Finished bad()");
135#endif /* OMITBAD */
136 return 0;
137}
138
139#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6959: CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_10.c

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_10.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__src.label.xml
4Template File: sources-sink-10.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: cat
12 * BadSink : Copy data to string using strcat
13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_10_bad()
24{
25 char * data;
26 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
27 data = dataBuffer;
28 if(globalTrue)
29 {
30 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
31 memset(data, 'A', 100-1); /* fill with 'A's */
32 data[100-1] = '\0'; /* null terminate */
33 }
34 {
35 char dest[50] = "";
36 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/
37 strcat(dest, data);❗VULN
38 printLine(data);
39 }
40}
41
42#endif /* OMITBAD */
43
44#ifndef OMITGOOD
45
46/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */
47static void goodG2B1()
48{
49 char * data;
50 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
51 data = dataBuffer;
52 if(globalFalse)
53 {
54 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
55 printLine("Benign, fixed string");
56 }
57 else
58 {
59 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
60 memset(data, 'A', 50-1); /* fill with 'A's */
61 data[50-1] = '\0'; /* null terminate */
62 }
63 {
64 char dest[50] = "";
65 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/
66 strcat(dest, data);
67 printLine(data);
68 }
69}
70
71/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
72static void goodG2B2()
73{
74 char * data;
75 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
76 data = dataBuffer;
77 if(globalTrue)
78 {
79 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
80 memset(data, 'A', 50-1); /* fill with 'A's */
81 data[50-1] = '\0'; /* null terminate */
82 }
83 {
84 char dest[50] = "";
85 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/
86 strcat(dest, data);
87 printLine(data);
88 }
89}
90
91void CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_10_good()
92{
93 goodG2B1();
94 goodG2B2();
95}
96
97#endif /* OMITGOOD */
98
99/* Below is the main(). It is only used when building this testcase on
100 * its own for testing or for building a binary to use in testing binary
101 * analysis tools. It is not used when compiling all the testcases as one
102 * application, which is how source code analysis tools are tested.
103 */
104
105#ifdef INCLUDEMAIN
106
107int main(int argc, char * argv[])
108{
109 /* seed randomness */
110 srand( (unsigned)time(NULL) );
111#ifndef OMITGOOD
112 printLine("Calling good()...");
113 CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_10_good();
114 printLine("Finished good()");
115#endif /* OMITGOOD */
116#ifndef OMITBAD
117 printLine("Calling bad()...");
118 CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_10_bad();
119 printLine("Finished bad()");
120#endif /* OMITBAD */
121 return 0;
122}
123
124#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 874: CWE124_Buffer_Underwrite__wchar_t_alloca_ncpy_16.c

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__wchar_t_alloca_ncpy_16.c
3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml
4Template File: sources-sink-16.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: ncpy
12 * BadSink : Copy string to data using wcsncpy
13 * Flow Variant: 16 Control flow: while(1)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE124_Buffer_Underwrite__wchar_t_alloca_ncpy_16_bad()
24{
25 wchar_t * data;
26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
27 wmemset(dataBuffer, L'A', 100-1);
28 dataBuffer[100-1] = L'\0';
29 while(1)
30 {
31 /* FLAW: Set data pointer to before the allocated memory buffer */
32 data = dataBuffer - 8;
33 break;
34 }
35 {
36 wchar_t source[100];
37 wmemset(source, L'C', 100-1); /* fill with 'C's */
38 source[100-1] = L'\0'; /* null terminate */
39 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
40 wcsncpy(data, source, 100-1);❗VULN
41 /* Ensure the destination buffer is null terminated */
42 data[100-1] = L'\0';
43 printWLine(data);
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */
52static void goodG2B()
53{
54 wchar_t * data;
55 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
56 wmemset(dataBuffer, L'A', 100-1);
57 dataBuffer[100-1] = L'\0';
58 while(1)
59 {
60 /* FIX: Set data pointer to the allocated memory buffer */
61 data = dataBuffer;
62 break;
63 }
64 {
65 wchar_t source[100];
66 wmemset(source, L'C', 100-1); /* fill with 'C's */
67 source[100-1] = L'\0'; /* null terminate */
68 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
69 wcsncpy(data, source, 100-1);
70 /* Ensure the destination buffer is null terminated */
71 data[100-1] = L'\0';
72 printWLine(data);
73 }
74}
75
76void CWE124_Buffer_Underwrite__wchar_t_alloca_ncpy_16_good()
77{
78 goodG2B();
79}
80
81#endif /* OMITGOOD */
82
83/* Below is the main(). It is only used when building this testcase on
84 * its own for testing or for building a binary to use in testing binary
85 * analysis tools. It is not used when compiling all the testcases as one
86 * application, which is how source code analysis tools are tested.
87 */
88
89#ifdef INCLUDEMAIN
90
91int main(int argc, char * argv[])
92{
93 /* seed randomness */
94 srand( (unsigned)time(NULL) );
95#ifndef OMITGOOD
96 printLine("Calling good()...");
97 CWE124_Buffer_Underwrite__wchar_t_alloca_ncpy_16_good();
98 printLine("Finished good()");
99#endif /* OMITGOOD */
100#ifndef OMITBAD
101 printLine("Calling bad()...");
102 CWE124_Buffer_Underwrite__wchar_t_alloca_ncpy_16_bad();
103 printLine("Finished bad()");
104#endif /* OMITBAD */
105 return 0;
106}
107
108#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5942: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_34.c

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_34.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4Template File: sources-sink-34.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sinks: ncat
12 * BadSink : Copy string to data using strncat
13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21typedef union
22{
23 char * unionFirst;
24 char * unionSecond;
25} CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_34_unionType;
26
27#ifndef OMITBAD
28
29void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_34_bad()
30{
31 char * data;
32 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_34_unionType myUnion;
33 data = NULL;
34 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
35 data = (char *)malloc(50*sizeof(char));
36 if (data == NULL) {exit(-1);}
37 data[0] = '\0'; /* null terminate */
38 myUnion.unionFirst = data;
39 {
40 char * data = myUnion.unionSecond;
41 {
42 char source[100];
43 memset(source, 'C', 100-1); /* fill with 'C's */
44 source[100-1] = '\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
46 strncat(data, source, 100);❗VULN
47 printLine(data);
48 free(data);
49 }
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B() uses the GoodSource with the BadSink */
58static void goodG2B()
59{
60 char * data;
61 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_34_unionType myUnion;
62 data = NULL;
63 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
64 data = (char *)malloc(100*sizeof(char));
65 if (data == NULL) {exit(-1);}
66 data[0] = '\0'; /* null terminate */
67 myUnion.unionFirst = data;
68 {
69 char * data = myUnion.unionSecond;
70 {
71 char source[100];
72 memset(source, 'C', 100-1); /* fill with 'C's */
73 source[100-1] = '\0'; /* null terminate */
74 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
75 strncat(data, source, 100);
76 printLine(data);
77 free(data);
78 }
79 }
80}
81
82void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_34_good()
83{
84 goodG2B();
85}
86
87#endif /* OMITGOOD */
88
89/* Below is the main(). It is only used when building this testcase on
90 * its own for testing or for building a binary to use in testing binary
91 * analysis tools. It is not used when compiling all the testcases as one
92 * application, which is how source code analysis tools are tested.
93 */
94#ifdef INCLUDEMAIN
95
96int main(int argc, char * argv[])
97{
98 /* seed randomness */
99 srand( (unsigned)time(NULL) );
100#ifndef OMITGOOD
101 printLine("Calling good()...");
102 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_34_good();
103 printLine("Finished good()");
104#endif /* OMITGOOD */
105#ifndef OMITBAD
106 printLine("Calling bad()...");
107 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_34_bad();
108 printLine("Finished bad()");
109#endif /* OMITBAD */
110 return 0;
111}
112
113#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8440: CWE127_Buffer_Underread__new_wchar_t_memcpy_32.cpp

Nodes: 17 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__new_wchar_t_memcpy_32.cpp
3Label Definition File: CWE127_Buffer_Underread__new.label.xml
4Template File: sources-sink-32.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE127_Buffer_Underread__new_wchar_t_memcpy_32
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 wchar_t * data;
29 wchar_t * *dataPtr1 = &data;
30 wchar_t * *dataPtr2 = &data;
31 data = NULL;
32 {
33 wchar_t * data = *dataPtr1;
34 {
35 wchar_t * dataBuffer = new wchar_t[100];
36 wmemset(dataBuffer, L'A', 100-1);
37 dataBuffer[100-1] = L'\0';
38 /* FLAW: Set data pointer to before the allocated memory buffer */
39 data = dataBuffer - 8;
40 }
41 *dataPtr1 = data;
42 }
43 {
44 wchar_t * data = *dataPtr2;
45 {
46 wchar_t dest[100];
47 wmemset(dest, L'C', 100-1); /* fill with 'C's */
48 dest[100-1] = L'\0'; /* null terminate */
49 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
50 memcpy(dest, data, 100*sizeof(wchar_t));❗VULN
51 /* Ensure null termination */
52 dest[100-1] = L'\0';
53 printWLine(dest);
54 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
55 * returned by new [] so can't safely call delete [] on it */
56 }
57 }
58}
59
60#endif /* OMITBAD */
61
62#ifndef OMITGOOD
63
64/* goodG2B() uses the GoodSource with the BadSink */
65static void goodG2B()
66{
67 wchar_t * data;
68 wchar_t * *dataPtr1 = &data;
69 wchar_t * *dataPtr2 = &data;
70 data = NULL;
71 {
72 wchar_t * data = *dataPtr1;
73 {
74 wchar_t * dataBuffer = new wchar_t[100];
75 wmemset(dataBuffer, L'A', 100-1);
76 dataBuffer[100-1] = L'\0';
77 /* FIX: Set data pointer to the allocated memory buffer */
78 data = dataBuffer;
79 }
80 *dataPtr1 = data;
81 }
82 {
83 wchar_t * data = *dataPtr2;
84 {
85 wchar_t dest[100];
86 wmemset(dest, L'C', 100-1); /* fill with 'C's */
87 dest[100-1] = L'\0'; /* null terminate */
88 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
89 memcpy(dest, data, 100*sizeof(wchar_t));
90 /* Ensure null termination */
91 dest[100-1] = L'\0';
92 printWLine(dest);
93 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
94 * returned by new [] so can't safely call delete [] on it */
95 }
96 }
97}
98
99void good()
100{
101 goodG2B();
102}
103
104#endif /* OMITGOOD */
105
106} /* close namespace */
107
108/* Below is the main(). It is only used when building this testcase on
109 its own for testing or for building a binary to use in testing binary
110 analysis tools. It is not used when compiling all the testcases as one
111 application, which is how source code analysis tools are tested. */
112#ifdef INCLUDEMAIN
113
114using namespace CWE127_Buffer_Underread__new_wchar_t_memcpy_32; /* so that we can use good and bad easily */
115
116int main(int argc, char * argv[])
117{
118 /* seed randomness */
119 srand( (unsigned)time(NULL) );
120#ifndef OMITGOOD
121 printLine("Calling good()...");
122 good();
123 printLine("Finished good()");
124#endif /* OMITGOOD */
125#ifndef OMITBAD
126 printLine("Calling bad()...");
127 bad();
128 printLine("Finished bad()");
129#endif /* OMITBAD */
130 return 0;
131}
132
133#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 628: CWE126_Buffer_Overread__CWE170_char_strncpy_15.c

Nodes: 11 | Sink Nodes: 2 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__CWE170_char_strncpy_15.c
3Label Definition File: CWE126_Buffer_Overread__CWE170.label.xml
4Template File: point-flaw-15.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Overread
9 * Sinks: strncpy
10 * GoodSink: Copy a string using strncpy() with explicit null termination
11 * BadSink : Copy a string using strncpy() without explicit null termination
12 * Flow Variant: 15 Control flow: switch(6)
13 *
14 * */
15
16#include "std_testcase.h"
17
18#include <wchar.h>
19
20#ifndef OMITBAD
21
22void CWE126_Buffer_Overread__CWE170_char_strncpy_15_bad()
23{
24 switch(6)
25 {
26 case 6:
27 {
28 char data[150], dest[100];
29 /* Initialize data */
30 memset(data, 'A', 149);
31 data[149] = '\0';
32 /* strncpy() does not null terminate if the string in the src buffer is larger than
33 * the number of characters being copied to the dest buffer */
34 strncpy(dest, data, 99);
35 /* FLAW: do not explicitly null terminate dest after the use of strncpy() */
36 printLine(dest);❗VULN
37 }
38 break;
39 default:
40 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
41 printLine("Benign, fixed string");
42 break;
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50/* good1() changes the switch to switch(5) */
51static void good1()
52{
53 switch(5)
54 {
55 case 6:
56 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
57 printLine("Benign, fixed string");
58 break;
59 default:
60 {
61 char data[150], dest[100];
62 /* Initialize data */
63 memset(data, 'A', 149);
64 data[149] = '\0';
65 /* strncpy() does not null terminate if the string in the src buffer is larger than
66 * the number of characters being copied to the dest buffer */
67 strncpy(dest, data, 99);
68 dest[99] = '\0'; /* FIX: Explicitly null terminate dest after the use of strncpy() */
69 printLine(dest);
70 }
71 break;
72 }
73}
74
75/* good2() reverses the blocks in the switch */
76static void good2()
77{
78 switch(6)
79 {
80 case 6:
81 {
82 char data[150], dest[100];
83 /* Initialize data */
84 memset(data, 'A', 149);
85 data[149] = '\0';
86 /* strncpy() does not null terminate if the string in the src buffer is larger than
87 * the number of characters being copied to the dest buffer */
88 strncpy(dest, data, 99);
89 dest[99] = '\0'; /* FIX: Explicitly null terminate dest after the use of strncpy() */
90 printLine(dest);
91 }
92 break;
93 default:
94 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
95 printLine("Benign, fixed string");
96 break;
97 }
98}
99
100void CWE126_Buffer_Overread__CWE170_char_strncpy_15_good()
101{
102 good1();
103 good2();
104}
105
106#endif /* OMITGOOD */
107
108/* Below is the main(). It is only used when building this testcase on
109 its own for testing or for building a binary to use in testing binary
110 analysis tools. It is not used when compiling all the testcases as one
111 application, which is how source code analysis tools are tested. */
112
113#ifdef INCLUDEMAIN
114
115int main(int argc, char * argv[])
116{
117 /* seed randomness */
118 srand( (unsigned)time(NULL) );
119#ifndef OMITGOOD
120 printLine("Calling good()...");
121 CWE126_Buffer_Overread__CWE170_char_strncpy_15_good();
122 printLine("Finished good()");
123#endif /* OMITGOOD */
124#ifndef OMITBAD
125 printLine("Calling bad()...");
126 CWE126_Buffer_Overread__CWE170_char_strncpy_15_bad();
127 printLine("Finished bad()");
128#endif /* OMITBAD */
129 return 0;
130}
131
132#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7307: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_snprintf_08.cpp

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_snprintf_08.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml
4Template File: sources-sink-08.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: swprintf
12 * BadSink : Copy data to string using swprintf
13 * Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(staticReturnsFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifdef _WIN32
22#define SNPRINTF _snwprintf
23#else
24#define SNPRINTF swprintf
25#endif
26
27/* The two function below always return the same value, so a tool
28 should be able to identify that calls to the functions will always
29 return a fixed value. */
30static int staticReturnsTrue()
31{
32 return 1;
33}
34
35static int staticReturnsFalse()
36{
37 return 0;
38}
39
40namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_snprintf_08
41{
42
43#ifndef OMITBAD
44
45void bad()
46{
47 wchar_t * data;
48 data = new wchar_t[100];
49 if(staticReturnsTrue())
50 {
51 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
52 wmemset(data, L'A', 100-1); /* fill with L'A's */
53 data[100-1] = L'\0'; /* null terminate */
54 }
55 {
56 wchar_t dest[50] = L"";
57 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
58 SNPRINTF(dest, wcslen(data), L"%s", data);❗VULN
59 printWLine(data);
60 delete [] data;
61 }
62}
63
64#endif /* OMITBAD */
65
66#ifndef OMITGOOD
67
68/* goodG2B1() - use goodsource and badsink by changing the staticReturnsTrue() to staticReturnsFalse() */
69static void goodG2B1()
70{
71 wchar_t * data;
72 data = new wchar_t[100];
73 if(staticReturnsFalse())
74 {
75 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
76 printLine("Benign, fixed string");
77 }
78 else
79 {
80 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
81 wmemset(data, L'A', 50-1); /* fill with L'A's */
82 data[50-1] = L'\0'; /* null terminate */
83 }
84 {
85 wchar_t dest[50] = L"";
86 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
87 SNPRINTF(dest, wcslen(data), L"%s", data);
88 printWLine(data);
89 delete [] data;
90 }
91}
92
93/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
94static void goodG2B2()
95{
96 wchar_t * data;
97 data = new wchar_t[100];
98 if(staticReturnsTrue())
99 {
100 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
101 wmemset(data, L'A', 50-1); /* fill with L'A's */
102 data[50-1] = L'\0'; /* null terminate */
103 }
104 {
105 wchar_t dest[50] = L"";
106 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
107 SNPRINTF(dest, wcslen(data), L"%s", data);
108 printWLine(data);
109 delete [] data;
110 }
111}
112
113void good()
114{
115 goodG2B1();
116 goodG2B2();
117}
118
119#endif /* OMITGOOD */
120
121} /* close namespace */
122
123/* Below is the main(). It is only used when building this testcase on
124 its own for testing or for building a binary to use in testing binary
125 analysis tools. It is not used when compiling all the testcases as one
126 application, which is how source code analysis tools are tested. */
127
128#ifdef INCLUDEMAIN
129
130using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_snprintf_08; /* so that we can use good and bad easily */
131
132int main(int argc, char * argv[])
133{
134 /* seed randomness */
135 srand( (unsigned)time(NULL) );
136#ifndef OMITGOOD
137 printLine("Calling good()...");
138 good();
139 printLine("Finished good()");
140#endif /* OMITGOOD */
141#ifndef OMITBAD
142 printLine("Calling bad()...");
143 bad();
144 printLine("Finished bad()");
145#endif /* OMITBAD */
146 return 0;
147}
148
149#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3612: CWE124_Buffer_Underwrite__new_char_ncpy_33.cpp

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__new_char_ncpy_33.cpp
3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml
4Template File: sources-sink-33.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sinks: ncpy
12 * BadSink : Copy string to data using strncpy
13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE124_Buffer_Underwrite__new_char_ncpy_33
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 char * data;
29 char * &dataRef = data;
30 data = NULL;
31 {
32 char * dataBuffer = new char[100];
33 memset(dataBuffer, 'A', 100-1);
34 dataBuffer[100-1] = '\0';
35 /* FLAW: Set data pointer to before the allocated memory buffer */
36 data = dataBuffer - 8;
37 }
38 {
39 char * data = dataRef;
40 {
41 char source[100];
42 memset(source, 'C', 100-1); /* fill with 'C's */
43 source[100-1] = '\0'; /* null terminate */
44 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
45 strncpy(data, source, 100-1);❗VULN
46 /* Ensure the destination buffer is null terminated */
47 data[100-1] = '\0';
48 printLine(data);
49 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
50 * returned by new [] so can't safely call delete [] on it */
51 }
52 }
53}
54
55#endif /* OMITBAD */
56
57#ifndef OMITGOOD
58
59/* goodG2B() uses the GoodSource with the BadSink */
60static void goodG2B()
61{
62 char * data;
63 char * &dataRef = data;
64 data = NULL;
65 {
66 char * dataBuffer = new char[100];
67 memset(dataBuffer, 'A', 100-1);
68 dataBuffer[100-1] = '\0';
69 /* FIX: Set data pointer to the allocated memory buffer */
70 data = dataBuffer;
71 }
72 {
73 char * data = dataRef;
74 {
75 char source[100];
76 memset(source, 'C', 100-1); /* fill with 'C's */
77 source[100-1] = '\0'; /* null terminate */
78 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
79 strncpy(data, source, 100-1);
80 /* Ensure the destination buffer is null terminated */
81 data[100-1] = '\0';
82 printLine(data);
83 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
84 * returned by new [] so can't safely call delete [] on it */
85 }
86 }
87}
88
89void good()
90{
91 goodG2B();
92}
93
94#endif /* OMITGOOD */
95
96} /* close namespace */
97
98/* Below is the main(). It is only used when building this testcase on
99 its own for testing or for building a binary to use in testing binary
100 analysis tools. It is not used when compiling all the testcases as one
101 application, which is how source code analysis tools are tested. */
102#ifdef INCLUDEMAIN
103
104using namespace CWE124_Buffer_Underwrite__new_char_ncpy_33; /* so that we can use good and bad easily */
105
106int main(int argc, char * argv[])
107{
108 /* seed randomness */
109 srand( (unsigned)time(NULL) );
110#ifndef OMITGOOD
111 printLine("Calling good()...");
112 good();
113 printLine("Finished good()");
114#endif /* OMITGOOD */
115#ifndef OMITBAD
116 printLine("Calling bad()...");
117 bad();
118 printLine("Finished bad()");
119#endif /* OMITBAD */
120 return 0;
121}
122
123#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4952: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_ncpy_01.cpp

Nodes: 7 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_ncpy_01.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193.label.xml
4Template File: sources-sink-01.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 * GoodSource: Allocate enough memory for a string and the NULL terminator
11 * Sink: ncpy
12 * BadSink : Copy string to data using strncpy()
13 * Flow Variant: 01 Baseline
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING "AAAAAAAAAA"
25
26namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_ncpy_01
27{
28
29#ifndef OMITBAD
30
31void bad()
32{
33 char * data;
34 data = NULL;
35 /* FLAW: Did not leave space for a null terminator */
36 data = new char[10];
37 {
38 char source[10+1] = SRC_STRING;
39 /* Copy length + 1 to include NUL terminator from source */
40 /* POTENTIAL FLAW: data may not have enough space to hold source */
41 strncpy(data, source, strlen(source) + 1);❗VULN
42 printLine(data);
43 delete [] data;
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B uses the GoodSource with the BadSink */
52static void goodG2B()
53{
54 char * data;
55 data = NULL;
56 /* FIX: Allocate space for a null terminator */
57 data = new char[10+1];
58 {
59 char source[10+1] = SRC_STRING;
60 /* Copy length + 1 to include NUL terminator from source */
61 /* POTENTIAL FLAW: data may not have enough space to hold source */
62 strncpy(data, source, strlen(source) + 1);
63 printLine(data);
64 delete [] data;
65 }
66}
67
68void good()
69{
70 goodG2B();
71}
72
73#endif /* OMITGOOD */
74
75} /* close namespace */
76
77/* Below is the main(). It is only used when building this testcase on
78 its own for testing or for building a binary to use in testing binary
79 analysis tools. It is not used when compiling all the testcases as one
80 application, which is how source code analysis tools are tested. */
81
82#ifdef INCLUDEMAIN
83
84using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_ncpy_01; /* so that we can use good and bad easily */
85
86int main(int argc, char * argv[])
87{
88 /* seed randomness */
89 srand( (unsigned)time(NULL) );
90#ifndef OMITGOOD
91 printLine("Calling good()...");
92 good();
93 printLine("Finished good()");
94#endif /* OMITGOOD */
95#ifndef OMITBAD
96 printLine("Calling bad()...");
97 bad();
98 printLine("Finished bad()");
99#endif /* OMITBAD */
100 return 0;
101}
102
103#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3437: CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cpy_18.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cpy_18.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__src.label.xml
4Template File: sources-sink-18.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: cpy
12 * BadSink : Copy data to string using wcscpy
13 * Flow Variant: 18 Control flow: goto statements
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cpy_18_bad()
24{
25 wchar_t * data;
26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
27 data = dataBuffer;
28 goto source;
29source:
30 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
31 wmemset(data, L'A', 100-1); /* fill with L'A's */
32 data[100-1] = L'\0'; /* null terminate */
33 {
34 wchar_t dest[50] = L"";
35 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
36 wcscpy(dest, data);❗VULN
37 printWLine(data);
38 }
39}
40
41#endif /* OMITBAD */
42
43#ifndef OMITGOOD
44
45/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
46static void goodG2B()
47{
48 wchar_t * data;
49 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
50 data = dataBuffer;
51 goto source;
52source:
53 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
54 wmemset(data, L'A', 50-1); /* fill with L'A's */
55 data[50-1] = L'\0'; /* null terminate */
56 {
57 wchar_t dest[50] = L"";
58 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
59 wcscpy(dest, data);
60 printWLine(data);
61 }
62}
63
64void CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cpy_18_good()
65{
66 goodG2B();
67}
68
69#endif /* OMITGOOD */
70
71/* Below is the main(). It is only used when building this testcase on
72 * its own for testing or for building a binary to use in testing binary
73 * analysis tools. It is not used when compiling all the testcases as one
74 * application, which is how source code analysis tools are tested.
75 */
76
77#ifdef INCLUDEMAIN
78
79int main(int argc, char * argv[])
80{
81 /* seed randomness */
82 srand( (unsigned)time(NULL) );
83#ifndef OMITGOOD
84 printLine("Calling good()...");
85 CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cpy_18_good();
86 printLine("Finished good()");
87#endif /* OMITGOOD */
88#ifndef OMITBAD
89 printLine("Calling bad()...");
90 CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cpy_18_bad();
91 printLine("Finished bad()");
92#endif /* OMITBAD */
93 return 0;
94}
95
96#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4439: CWE127_Buffer_Underread__char_declare_memmove_01.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__char_declare_memmove_01.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-01.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 01 Baseline
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__char_declare_memmove_01_bad()
24{
25 char * data;
26 char dataBuffer[100];
27 memset(dataBuffer, 'A', 100-1);
28 dataBuffer[100-1] = '\0';
29 /* FLAW: Set data pointer to before the allocated memory buffer */
30 data = dataBuffer - 8;
31 {
32 char dest[100];
33 memset(dest, 'C', 100-1); /* fill with 'C's */
34 dest[100-1] = '\0'; /* null terminate */
35 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
36 memmove(dest, data, 100*sizeof(char));❗VULN
37 /* Ensure null termination */
38 dest[100-1] = '\0';
39 printLine(dest);
40 }
41}
42
43#endif /* OMITBAD */
44
45#ifndef OMITGOOD
46
47/* goodG2B uses the GoodSource with the BadSink */
48static void goodG2B()
49{
50 char * data;
51 char dataBuffer[100];
52 memset(dataBuffer, 'A', 100-1);
53 dataBuffer[100-1] = '\0';
54 /* FIX: Set data pointer to the allocated memory buffer */
55 data = dataBuffer;
56 {
57 char dest[100];
58 memset(dest, 'C', 100-1); /* fill with 'C's */
59 dest[100-1] = '\0'; /* null terminate */
60 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
61 memmove(dest, data, 100*sizeof(char));
62 /* Ensure null termination */
63 dest[100-1] = '\0';
64 printLine(dest);
65 }
66}
67
68void CWE127_Buffer_Underread__char_declare_memmove_01_good()
69{
70 goodG2B();
71}
72
73#endif /* OMITGOOD */
74
75/* Below is the main(). It is only used when building this testcase on
76 * its own for testing or for building a binary to use in testing binary
77 * analysis tools. It is not used when compiling all the testcases as one
78 * application, which is how source code analysis tools are tested.
79 */
80
81#ifdef INCLUDEMAIN
82
83int main(int argc, char * argv[])
84{
85 /* seed randomness */
86 srand( (unsigned)time(NULL) );
87#ifndef OMITGOOD
88 printLine("Calling good()...");
89 CWE127_Buffer_Underread__char_declare_memmove_01_good();
90 printLine("Finished good()");
91#endif /* OMITGOOD */
92#ifndef OMITBAD
93 printLine("Calling bad()...");
94 CWE127_Buffer_Underread__char_declare_memmove_01_bad();
95 printLine("Finished bad()");
96#endif /* OMITBAD */
97 return 0;
98}
99
100#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2492: CWE121_Stack_Based_Buffer_Overflow__dest_char_alloca_cpy_07.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_alloca_cpy_07.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml
4Template File: sources-sink-07.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: cpy
12 * BadSink : Copy string to data using strcpy
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is not declared "const", but is never assigned
22 * any other value so a tool should be able to identify that reads of
23 * this will always give its initialized value.
24 */
25static int staticFive = 5;
26
27#ifndef OMITBAD
28
29void CWE121_Stack_Based_Buffer_Overflow__dest_char_alloca_cpy_07_bad()
30{
31 char * data;
32 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
33 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
34 if(staticFive==5)
35 {
36 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
37 * buffer in various memory copying functions using a "large" source buffer. */
38 data = dataBadBuffer;
39 data[0] = '\0'; /* null terminate */
40 }
41 {
42 char source[100];
43 memset(source, 'C', 100-1); /* fill with 'C's */
44 source[100-1] = '\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
46 strcpy(data, source);❗VULN
47 printLine(data);
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
56static void goodG2B1()
57{
58 char * data;
59 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
60 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
61 if(staticFive!=5)
62 {
63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
64 printLine("Benign, fixed string");
65 }
66 else
67 {
68 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
69 data = dataGoodBuffer;
70 data[0] = '\0'; /* null terminate */
71 }
72 {
73 char source[100];
74 memset(source, 'C', 100-1); /* fill with 'C's */
75 source[100-1] = '\0'; /* null terminate */
76 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
77 strcpy(data, source);
78 printLine(data);
79 }
80}
81
82/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
83static void goodG2B2()
84{
85 char * data;
86 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
87 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
88 if(staticFive==5)
89 {
90 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
91 data = dataGoodBuffer;
92 data[0] = '\0'; /* null terminate */
93 }
94 {
95 char source[100];
96 memset(source, 'C', 100-1); /* fill with 'C's */
97 source[100-1] = '\0'; /* null terminate */
98 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
99 strcpy(data, source);
100 printLine(data);
101 }
102}
103
104void CWE121_Stack_Based_Buffer_Overflow__dest_char_alloca_cpy_07_good()
105{
106 goodG2B1();
107 goodG2B2();
108}
109
110#endif /* OMITGOOD */
111
112/* Below is the main(). It is only used when building this testcase on
113 * its own for testing or for building a binary to use in testing binary
114 * analysis tools. It is not used when compiling all the testcases as one
115 * application, which is how source code analysis tools are tested.
116 */
117
118#ifdef INCLUDEMAIN
119
120int main(int argc, char * argv[])
121{
122 /* seed randomness */
123 srand( (unsigned)time(NULL) );
124#ifndef OMITGOOD
125 printLine("Calling good()...");
126 CWE121_Stack_Based_Buffer_Overflow__dest_char_alloca_cpy_07_good();
127 printLine("Finished good()");
128#endif /* OMITGOOD */
129#ifndef OMITBAD
130 printLine("Calling bad()...");
131 CWE121_Stack_Based_Buffer_Overflow__dest_char_alloca_cpy_07_bad();
132 printLine("Finished bad()");
133#endif /* OMITBAD */
134 return 0;
135}
136
137#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9404: CWE127_Buffer_Underread__malloc_wchar_t_ncpy_02.c

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_wchar_t_ncpy_02.c
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-02.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: ncpy
12 * BadSink : Copy data to string using wcsncpy
13 * Flow Variant: 02 Control flow: if(1) and if(0)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__malloc_wchar_t_ncpy_02_bad()
24{
25 wchar_t * data;
26 data = NULL;
27 if(1)
28 {
29 {
30 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
31 if (dataBuffer == NULL) {exit(-1);}
32 wmemset(dataBuffer, L'A', 100-1);
33 dataBuffer[100-1] = L'\0';
34 /* FLAW: Set data pointer to before the allocated memory buffer */
35 data = dataBuffer - 8;
36 }
37 }
38 {
39 wchar_t dest[100];
40 wmemset(dest, L'C', 100-1); /* fill with 'C's */
41 dest[100-1] = L'\0'; /* null terminate */
42 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
43 wcsncpy(dest, data, wcslen(dest));❗VULN
44 /* Ensure null termination */
45 dest[100-1] = L'\0';
46 printWLine(dest);
47 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
48 * returned by malloc() so can't safely call free() on it */
49 }
50}
51
52#endif /* OMITBAD */
53
54#ifndef OMITGOOD
55
56/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */
57static void goodG2B1()
58{
59 wchar_t * data;
60 data = NULL;
61 if(0)
62 {
63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
64 printLine("Benign, fixed string");
65 }
66 else
67 {
68 {
69 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
70 if (dataBuffer == NULL) {exit(-1);}
71 wmemset(dataBuffer, L'A', 100-1);
72 dataBuffer[100-1] = L'\0';
73 /* FIX: Set data pointer to the allocated memory buffer */
74 data = dataBuffer;
75 }
76 }
77 {
78 wchar_t dest[100];
79 wmemset(dest, L'C', 100-1); /* fill with 'C's */
80 dest[100-1] = L'\0'; /* null terminate */
81 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
82 wcsncpy(dest, data, wcslen(dest));
83 /* Ensure null termination */
84 dest[100-1] = L'\0';
85 printWLine(dest);
86 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
87 * returned by malloc() so can't safely call free() on it */
88 }
89}
90
91/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
92static void goodG2B2()
93{
94 wchar_t * data;
95 data = NULL;
96 if(1)
97 {
98 {
99 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
100 if (dataBuffer == NULL) {exit(-1);}
101 wmemset(dataBuffer, L'A', 100-1);
102 dataBuffer[100-1] = L'\0';
103 /* FIX: Set data pointer to the allocated memory buffer */
104 data = dataBuffer;
105 }
106 }
107 {
108 wchar_t dest[100];
109 wmemset(dest, L'C', 100-1); /* fill with 'C's */
110 dest[100-1] = L'\0'; /* null terminate */
111 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
112 wcsncpy(dest, data, wcslen(dest));
113 /* Ensure null termination */
114 dest[100-1] = L'\0';
115 printWLine(dest);
116 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
117 * returned by malloc() so can't safely call free() on it */
118 }
119}
120
121void CWE127_Buffer_Underread__malloc_wchar_t_ncpy_02_good()
122{
123 goodG2B1();
124 goodG2B2();
125}
126
127#endif /* OMITGOOD */
128
129/* Below is the main(). It is only used when building this testcase on
130 * its own for testing or for building a binary to use in testing binary
131 * analysis tools. It is not used when compiling all the testcases as one
132 * application, which is how source code analysis tools are tested.
133 */
134
135#ifdef INCLUDEMAIN
136
137int main(int argc, char * argv[])
138{
139 /* seed randomness */
140 srand( (unsigned)time(NULL) );
141#ifndef OMITGOOD
142 printLine("Calling good()...");
143 CWE127_Buffer_Underread__malloc_wchar_t_ncpy_02_good();
144 printLine("Finished good()");
145#endif /* OMITGOOD */
146#ifndef OMITBAD
147 printLine("Calling bad()...");
148 CWE127_Buffer_Underread__malloc_wchar_t_ncpy_02_bad();
149 printLine("Finished bad()");
150#endif /* OMITBAD */
151 return 0;
152}
153
154#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8867: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memcpy_05.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memcpy_05.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml
4Template File: sources-sink-05.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are not defined as "const", but are never
22 * assigned any other value, so a tool should be able to identify that
23 * reads of these will always return their initialized values.
24 */
25static int staticTrue = 1; /* true */
26static int staticFalse = 0; /* false */
27
28#ifndef OMITBAD
29
30void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memcpy_05_bad()
31{
32 char * data;
33 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
34 data = dataBuffer;
35 if(staticTrue)
36 {
37 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
38 memset(data, 'A', 100-1); /* fill with 'A's */
39 data[100-1] = '\0'; /* null terminate */
40 }
41 {
42 char dest[50] = "";
43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
44 memcpy(dest, data, strlen(data)*sizeof(char));❗VULN
45 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
46 printLine(data);
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */
55static void goodG2B1()
56{
57 char * data;
58 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
59 data = dataBuffer;
60 if(staticFalse)
61 {
62 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
63 printLine("Benign, fixed string");
64 }
65 else
66 {
67 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
68 memset(data, 'A', 50-1); /* fill with 'A's */
69 data[50-1] = '\0'; /* null terminate */
70 }
71 {
72 char dest[50] = "";
73 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
74 memcpy(dest, data, strlen(data)*sizeof(char));
75 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
76 printLine(data);
77 }
78}
79
80/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
81static void goodG2B2()
82{
83 char * data;
84 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
85 data = dataBuffer;
86 if(staticTrue)
87 {
88 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
89 memset(data, 'A', 50-1); /* fill with 'A's */
90 data[50-1] = '\0'; /* null terminate */
91 }
92 {
93 char dest[50] = "";
94 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
95 memcpy(dest, data, strlen(data)*sizeof(char));
96 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
97 printLine(data);
98 }
99}
100
101void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memcpy_05_good()
102{
103 goodG2B1();
104 goodG2B2();
105}
106
107#endif /* OMITGOOD */
108
109/* Below is the main(). It is only used when building this testcase on
110 * its own for testing or for building a binary to use in testing binary
111 * analysis tools. It is not used when compiling all the testcases as one
112 * application, which is how source code analysis tools are tested.
113 */
114
115#ifdef INCLUDEMAIN
116
117int main(int argc, char * argv[])
118{
119 /* seed randomness */
120 srand( (unsigned)time(NULL) );
121#ifndef OMITGOOD
122 printLine("Calling good()...");
123 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memcpy_05_good();
124 printLine("Finished good()");
125#endif /* OMITGOOD */
126#ifndef OMITBAD
127 printLine("Calling bad()...");
128 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memcpy_05_bad();
129 printLine("Finished bad()");
130#endif /* OMITBAD */
131 return 0;
132}
133
134#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4365: CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_10.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_10.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-10.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: loop
12 * BadSink : Copy int64_t array to data using a loop
13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_10_bad()
22{
23 int64_t * data;
24 int64_t dataBadBuffer[50];
25 int64_t dataGoodBuffer[100];
26 if(globalTrue)
27 {
28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
29 * buffer in various memory copying functions using a "large" source buffer. */
30 data = dataBadBuffer;
31 }
32 {
33 int64_t source[100] = {0}; /* fill with 0's */
34 {
35 size_t i;
36 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
37 for (i = 0; i < 100; i++)
38 {
39 data[i] = source[i];❗VULN
40 }
41 printLongLongLine(data[0]);
42 }
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */
51static void goodG2B1()
52{
53 int64_t * data;
54 int64_t dataBadBuffer[50];
55 int64_t dataGoodBuffer[100];
56 if(globalFalse)
57 {
58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
59 printLine("Benign, fixed string");
60 }
61 else
62 {
63 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
64 data = dataGoodBuffer;
65 }
66 {
67 int64_t source[100] = {0}; /* fill with 0's */
68 {
69 size_t i;
70 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
71 for (i = 0; i < 100; i++)
72 {
73 data[i] = source[i];
74 }
75 printLongLongLine(data[0]);
76 }
77 }
78}
79
80/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
81static void goodG2B2()
82{
83 int64_t * data;
84 int64_t dataBadBuffer[50];
85 int64_t dataGoodBuffer[100];
86 if(globalTrue)
87 {
88 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
89 data = dataGoodBuffer;
90 }
91 {
92 int64_t source[100] = {0}; /* fill with 0's */
93 {
94 size_t i;
95 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
96 for (i = 0; i < 100; i++)
97 {
98 data[i] = source[i];
99 }
100 printLongLongLine(data[0]);
101 }
102 }
103}
104
105void CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_10_good()
106{
107 goodG2B1();
108 goodG2B2();
109}
110
111#endif /* OMITGOOD */
112
113/* Below is the main(). It is only used when building this testcase on
114 * its own for testing or for building a binary to use in testing binary
115 * analysis tools. It is not used when compiling all the testcases as one
116 * application, which is how source code analysis tools are tested.
117 */
118
119#ifdef INCLUDEMAIN
120
121int main(int argc, char * argv[])
122{
123 /* seed randomness */
124 srand( (unsigned)time(NULL) );
125#ifndef OMITGOOD
126 printLine("Calling good()...");
127 CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_10_good();
128 printLine("Finished good()");
129#endif /* OMITGOOD */
130#ifndef OMITBAD
131 printLine("Calling bad()...");
132 CWE121_Stack_Based_Buffer_Overflow__CWE805_int64_t_declare_loop_10_bad();
133 printLine("Finished bad()");
134#endif /* OMITBAD */
135 return 0;
136}
137
138#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7629: CWE126_Buffer_Overread__malloc_wchar_t_loop_09.c

Nodes: 20 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__malloc_wchar_t_loop_09.c
3Label Definition File: CWE126_Buffer_Overread__malloc.label.xml
4Template File: sources-sink-09.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Use a small buffer
10 * GoodSource: Use a large buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE126_Buffer_Overread__malloc_wchar_t_loop_09_bad()
24{
25 wchar_t * data;
26 data = NULL;
27 if(GLOBAL_CONST_TRUE)
28 {
29 /* FLAW: Use a small buffer */
30 data = (wchar_t *)malloc(50*sizeof(wchar_t));
31 if (data == NULL) {exit(-1);}
32 wmemset(data, L'A', 50-1); /* fill with 'A's */
33 data[50-1] = L'\0'; /* null terminate */
34 }
35 {
36 size_t i, destLen;
37 wchar_t dest[100];
38 wmemset(dest, L'C', 100-1);
39 dest[100-1] = L'\0'; /* null terminate */
40 destLen = wcslen(dest);
41 /* POTENTIAL FLAW: using length of the dest where data
42 * could be smaller than dest causing buffer overread */
43 for (i = 0; i < destLen; i++)
44 {
45 dest[i] = data[i];❗VULN
46 }
47 dest[100-1] = L'\0';
48 printWLine(dest);
49 free(data);
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */
58static void goodG2B1()
59{
60 wchar_t * data;
61 data = NULL;
62 if(GLOBAL_CONST_FALSE)
63 {
64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
65 printLine("Benign, fixed string");
66 }
67 else
68 {
69 /* FIX: Use a large buffer */
70 data = (wchar_t *)malloc(100*sizeof(wchar_t));
71 if (data == NULL) {exit(-1);}
72 wmemset(data, L'A', 100-1); /* fill with 'A's */
73 data[100-1] = L'\0'; /* null terminate */
74 }
75 {
76 size_t i, destLen;
77 wchar_t dest[100];
78 wmemset(dest, L'C', 100-1);
79 dest[100-1] = L'\0'; /* null terminate */
80 destLen = wcslen(dest);
81 /* POTENTIAL FLAW: using length of the dest where data
82 * could be smaller than dest causing buffer overread */
83 for (i = 0; i < destLen; i++)
84 {
85 dest[i] = data[i];
86 }
87 dest[100-1] = L'\0';
88 printWLine(dest);
89 free(data);
90 }
91}
92
93/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
94static void goodG2B2()
95{
96 wchar_t * data;
97 data = NULL;
98 if(GLOBAL_CONST_TRUE)
99 {
100 /* FIX: Use a large buffer */
101 data = (wchar_t *)malloc(100*sizeof(wchar_t));
102 if (data == NULL) {exit(-1);}
103 wmemset(data, L'A', 100-1); /* fill with 'A's */
104 data[100-1] = L'\0'; /* null terminate */
105 }
106 {
107 size_t i, destLen;
108 wchar_t dest[100];
109 wmemset(dest, L'C', 100-1);
110 dest[100-1] = L'\0'; /* null terminate */
111 destLen = wcslen(dest);
112 /* POTENTIAL FLAW: using length of the dest where data
113 * could be smaller than dest causing buffer overread */
114 for (i = 0; i < destLen; i++)
115 {
116 dest[i] = data[i];
117 }
118 dest[100-1] = L'\0';
119 printWLine(dest);
120 free(data);
121 }
122}
123
124void CWE126_Buffer_Overread__malloc_wchar_t_loop_09_good()
125{
126 goodG2B1();
127 goodG2B2();
128}
129
130#endif /* OMITGOOD */
131
132/* Below is the main(). It is only used when building this testcase on
133 * its own for testing or for building a binary to use in testing binary
134 * analysis tools. It is not used when compiling all the testcases as one
135 * application, which is how source code analysis tools are tested.
136 */
137
138#ifdef INCLUDEMAIN
139
140int main(int argc, char * argv[])
141{
142 /* seed randomness */
143 srand( (unsigned)time(NULL) );
144#ifndef OMITGOOD
145 printLine("Calling good()...");
146 CWE126_Buffer_Overread__malloc_wchar_t_loop_09_good();
147 printLine("Finished good()");
148#endif /* OMITGOOD */
149#ifndef OMITBAD
150 printLine("Calling bad()...");
151 CWE126_Buffer_Overread__malloc_wchar_t_loop_09_bad();
152 printLine("Finished bad()");
153#endif /* OMITBAD */
154 return 0;
155}
156
157#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8106: CWE127_Buffer_Underread__wchar_t_alloca_memmove_04.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__wchar_t_alloca_memmove_04.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-04.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are declared "const", so a tool should
22 * be able to identify that reads of these will always return their
23 * initialized values.
24 */
25static const int STATIC_CONST_TRUE = 1; /* true */
26static const int STATIC_CONST_FALSE = 0; /* false */
27
28#ifndef OMITBAD
29
30void CWE127_Buffer_Underread__wchar_t_alloca_memmove_04_bad()
31{
32 wchar_t * data;
33 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
34 wmemset(dataBuffer, L'A', 100-1);
35 dataBuffer[100-1] = L'\0';
36 if(STATIC_CONST_TRUE)
37 {
38 /* FLAW: Set data pointer to before the allocated memory buffer */
39 data = dataBuffer - 8;
40 }
41 {
42 wchar_t dest[100];
43 wmemset(dest, L'C', 100-1); /* fill with 'C's */
44 dest[100-1] = L'\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
46 memmove(dest, data, 100*sizeof(wchar_t));❗VULN
47 /* Ensure null termination */
48 dest[100-1] = L'\0';
49 printWLine(dest);
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */
58static void goodG2B1()
59{
60 wchar_t * data;
61 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
62 wmemset(dataBuffer, L'A', 100-1);
63 dataBuffer[100-1] = L'\0';
64 if(STATIC_CONST_FALSE)
65 {
66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
67 printLine("Benign, fixed string");
68 }
69 else
70 {
71 /* FIX: Set data pointer to the allocated memory buffer */
72 data = dataBuffer;
73 }
74 {
75 wchar_t dest[100];
76 wmemset(dest, L'C', 100-1); /* fill with 'C's */
77 dest[100-1] = L'\0'; /* null terminate */
78 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
79 memmove(dest, data, 100*sizeof(wchar_t));
80 /* Ensure null termination */
81 dest[100-1] = L'\0';
82 printWLine(dest);
83 }
84}
85
86/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
87static void goodG2B2()
88{
89 wchar_t * data;
90 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
91 wmemset(dataBuffer, L'A', 100-1);
92 dataBuffer[100-1] = L'\0';
93 if(STATIC_CONST_TRUE)
94 {
95 /* FIX: Set data pointer to the allocated memory buffer */
96 data = dataBuffer;
97 }
98 {
99 wchar_t dest[100];
100 wmemset(dest, L'C', 100-1); /* fill with 'C's */
101 dest[100-1] = L'\0'; /* null terminate */
102 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
103 memmove(dest, data, 100*sizeof(wchar_t));
104 /* Ensure null termination */
105 dest[100-1] = L'\0';
106 printWLine(dest);
107 }
108}
109
110void CWE127_Buffer_Underread__wchar_t_alloca_memmove_04_good()
111{
112 goodG2B1();
113 goodG2B2();
114}
115
116#endif /* OMITGOOD */
117
118/* Below is the main(). It is only used when building this testcase on
119 * its own for testing or for building a binary to use in testing binary
120 * analysis tools. It is not used when compiling all the testcases as one
121 * application, which is how source code analysis tools are tested.
122 */
123
124#ifdef INCLUDEMAIN
125
126int main(int argc, char * argv[])
127{
128 /* seed randomness */
129 srand( (unsigned)time(NULL) );
130#ifndef OMITGOOD
131 printLine("Calling good()...");
132 CWE127_Buffer_Underread__wchar_t_alloca_memmove_04_good();
133 printLine("Finished good()");
134#endif /* OMITGOOD */
135#ifndef OMITBAD
136 printLine("Calling bad()...");
137 CWE127_Buffer_Underread__wchar_t_alloca_memmove_04_bad();
138 printLine("Finished bad()");
139#endif /* OMITBAD */
140 return 0;
141}
142
143#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3628: CWE123_Write_What_Where_Condition__connect_socket_16.c

Nodes: 37 | Sink Nodes: 2 predicted, 2 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* Error: Could not load file CWE123_Write_What_Where_Condition__connect_socket_16.c: File CWE123_Write_What_Where_Condition__connect_socket_16.c not found in any subfolder of /home/nimana11/Thesis/codes/VulExplainerExp-84ED_2/datasets/buffer overflow/function/testcases/CWE123_Write_What_Where_Condition */

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6921: CWE127_Buffer_Underread__wchar_t_alloca_cpy_13.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__wchar_t_alloca_cpy_13.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-13.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: cpy
12 * BadSink : Copy data to string using wcscpy
13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__wchar_t_alloca_cpy_13_bad()
24{
25 wchar_t * data;
26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
27 wmemset(dataBuffer, L'A', 100-1);
28 dataBuffer[100-1] = L'\0';
29 if(GLOBAL_CONST_FIVE==5)
30 {
31 /* FLAW: Set data pointer to before the allocated memory buffer */
32 data = dataBuffer - 8;
33 }
34 {
35 wchar_t dest[100*2];
36 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */
37 dest[100*2-1] = L'\0'; /* null terminate */
38 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
39 wcscpy(dest, data);❗VULN
40 printWLine(dest);
41 }
42}
43
44#endif /* OMITBAD */
45
46#ifndef OMITGOOD
47
48/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */
49static void goodG2B1()
50{
51 wchar_t * data;
52 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
53 wmemset(dataBuffer, L'A', 100-1);
54 dataBuffer[100-1] = L'\0';
55 if(GLOBAL_CONST_FIVE!=5)
56 {
57 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
58 printLine("Benign, fixed string");
59 }
60 else
61 {
62 /* FIX: Set data pointer to the allocated memory buffer */
63 data = dataBuffer;
64 }
65 {
66 wchar_t dest[100*2];
67 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */
68 dest[100*2-1] = L'\0'; /* null terminate */
69 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
70 wcscpy(dest, data);
71 printWLine(dest);
72 }
73}
74
75/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
76static void goodG2B2()
77{
78 wchar_t * data;
79 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
80 wmemset(dataBuffer, L'A', 100-1);
81 dataBuffer[100-1] = L'\0';
82 if(GLOBAL_CONST_FIVE==5)
83 {
84 /* FIX: Set data pointer to the allocated memory buffer */
85 data = dataBuffer;
86 }
87 {
88 wchar_t dest[100*2];
89 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */
90 dest[100*2-1] = L'\0'; /* null terminate */
91 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
92 wcscpy(dest, data);
93 printWLine(dest);
94 }
95}
96
97void CWE127_Buffer_Underread__wchar_t_alloca_cpy_13_good()
98{
99 goodG2B1();
100 goodG2B2();
101}
102
103#endif /* OMITGOOD */
104
105/* Below is the main(). It is only used when building this testcase on
106 * its own for testing or for building a binary to use in testing binary
107 * analysis tools. It is not used when compiling all the testcases as one
108 * application, which is how source code analysis tools are tested.
109 */
110
111#ifdef INCLUDEMAIN
112
113int main(int argc, char * argv[])
114{
115 /* seed randomness */
116 srand( (unsigned)time(NULL) );
117#ifndef OMITGOOD
118 printLine("Calling good()...");
119 CWE127_Buffer_Underread__wchar_t_alloca_cpy_13_good();
120 printLine("Finished good()");
121#endif /* OMITGOOD */
122#ifndef OMITBAD
123 printLine("Calling bad()...");
124 CWE127_Buffer_Underread__wchar_t_alloca_cpy_13_bad();
125 printLine("Finished bad()");
126#endif /* OMITBAD */
127 return 0;
128}
129
130#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 848: CWE126_Buffer_Overread__char_alloca_loop_15.c

Nodes: 25 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__char_alloca_loop_15.c
3Label Definition File: CWE126_Buffer_Overread.stack.label.xml
4Template File: sources-sink-15.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Set data pointer to a small buffer
10 * GoodSource: Set data pointer to a large buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 15 Control flow: switch(6)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE126_Buffer_Overread__char_alloca_loop_15_bad()
24{
25 char * data;
26 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
27 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
28 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */
29 dataBadBuffer[50-1] = '\0'; /* null terminate */
30 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */
31 dataGoodBuffer[100-1] = '\0'; /* null terminate */
32 switch(6)
33 {
34 case 6:
35 /* FLAW: Set data pointer to a small buffer */
36 data = dataBadBuffer;
37 break;
38 default:
39 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
40 printLine("Benign, fixed string");
41 break;
42 }
43 {
44 size_t i, destLen;
45 char dest[100];
46 memset(dest, 'C', 100-1);
47 dest[100-1] = '\0'; /* null terminate */
48 destLen = strlen(dest);
49 /* POTENTIAL FLAW: using length of the dest where data
50 * could be smaller than dest causing buffer overread */
51 for (i = 0; i < destLen; i++)
52 {
53 dest[i] = data[i];❗VULN
54 }
55 dest[100-1] = '\0';
56 printLine(dest);
57 }
58}
59
60#endif /* OMITBAD */
61
62#ifndef OMITGOOD
63
64/* goodG2B1() - use goodsource and badsink by changing the switch to switch(5) */
65static void goodG2B1()
66{
67 char * data;
68 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
69 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
70 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */
71 dataBadBuffer[50-1] = '\0'; /* null terminate */
72 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */
73 dataGoodBuffer[100-1] = '\0'; /* null terminate */
74 switch(5)
75 {
76 case 6:
77 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
78 printLine("Benign, fixed string");
79 break;
80 default:
81 /* FIX: Set data pointer to a large buffer */
82 data = dataGoodBuffer;
83 break;
84 }
85 {
86 size_t i, destLen;
87 char dest[100];
88 memset(dest, 'C', 100-1);
89 dest[100-1] = '\0'; /* null terminate */
90 destLen = strlen(dest);
91 /* POTENTIAL FLAW: using length of the dest where data
92 * could be smaller than dest causing buffer overread */
93 for (i = 0; i < destLen; i++)
94 {
95 dest[i] = data[i];
96 }
97 dest[100-1] = '\0';
98 printLine(dest);
99 }
100}
101
102/* goodG2B2() - use goodsource and badsink by reversing the blocks in the switch */
103static void goodG2B2()
104{
105 char * data;
106 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
107 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
108 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */
109 dataBadBuffer[50-1] = '\0'; /* null terminate */
110 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */
111 dataGoodBuffer[100-1] = '\0'; /* null terminate */
112 switch(6)
113 {
114 case 6:
115 /* FIX: Set data pointer to a large buffer */
116 data = dataGoodBuffer;
117 break;
118 default:
119 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
120 printLine("Benign, fixed string");
121 break;
122 }
123 {
124 size_t i, destLen;
125 char dest[100];
126 memset(dest, 'C', 100-1);
127 dest[100-1] = '\0'; /* null terminate */
128 destLen = strlen(dest);
129 /* POTENTIAL FLAW: using length of the dest where data
130 * could be smaller than dest causing buffer overread */
131 for (i = 0; i < destLen; i++)
132 {
133 dest[i] = data[i];
134 }
135 dest[100-1] = '\0';
136 printLine(dest);
137 }
138}
139
140void CWE126_Buffer_Overread__char_alloca_loop_15_good()
141{
142 goodG2B1();
143 goodG2B2();
144}
145
146#endif /* OMITGOOD */
147
148/* Below is the main(). It is only used when building this testcase on
149 * its own for testing or for building a binary to use in testing binary
150 * analysis tools. It is not used when compiling all the testcases as one
151 * application, which is how source code analysis tools are tested.
152 */
153
154#ifdef INCLUDEMAIN
155
156int main(int argc, char * argv[])
157{
158 /* seed randomness */
159 srand( (unsigned)time(NULL) );
160#ifndef OMITGOOD
161 printLine("Calling good()...");
162 CWE126_Buffer_Overread__char_alloca_loop_15_good();
163 printLine("Finished good()");
164#endif /* OMITGOOD */
165#ifndef OMITBAD
166 printLine("Calling bad()...");
167 CWE126_Buffer_Overread__char_alloca_loop_15_bad();
168 printLine("Finished bad()");
169#endif /* OMITBAD */
170 return 0;
171}
172
173#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4877: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memcpy_18.cpp

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memcpy_18.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.label.xml
4Template File: sources-sink-18.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: memcpy
12 * BadSink : Copy int64_t array to data using memcpy
13 * Flow Variant: 18 Control flow: goto statements
14 *
15 * */
16
17#include "std_testcase.h"
18
19namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memcpy_18
20{
21
22#ifndef OMITBAD
23
24void bad()
25{
26 int64_t * data;
27 data = NULL;
28 goto source;
29source:
30 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
31 data = new int64_t[50];
32 {
33 int64_t source[100] = {0}; /* fill with 0's */
34 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
35 memcpy(data, source, 100*sizeof(int64_t));❗VULN
36 printLongLongLine(data[0]);
37 delete [] data;
38 }
39}
40
41#endif /* OMITBAD */
42
43#ifndef OMITGOOD
44
45/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
46static void goodG2B()
47{
48 int64_t * data;
49 data = NULL;
50 goto source;
51source:
52 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
53 data = new int64_t[100];
54 {
55 int64_t source[100] = {0}; /* fill with 0's */
56 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
57 memcpy(data, source, 100*sizeof(int64_t));
58 printLongLongLine(data[0]);
59 delete [] data;
60 }
61}
62
63void good()
64{
65 goodG2B();
66}
67
68#endif /* OMITGOOD */
69
70} /* close namespace */
71
72/* Below is the main(). It is only used when building this testcase on
73 its own for testing or for building a binary to use in testing binary
74 analysis tools. It is not used when compiling all the testcases as one
75 application, which is how source code analysis tools are tested. */
76
77#ifdef INCLUDEMAIN
78
79using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memcpy_18; /* so that we can use good and bad easily */
80
81int main(int argc, char * argv[])
82{
83 /* seed randomness */
84 srand( (unsigned)time(NULL) );
85#ifndef OMITGOOD
86 printLine("Calling good()...");
87 good();
88 printLine("Finished good()");
89#endif /* OMITGOOD */
90#ifndef OMITBAD
91 printLine("Calling bad()...");
92 bad();
93 printLine("Finished bad()");
94#endif /* OMITBAD */
95 return 0;
96}
97
98#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1457: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_09.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_09.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-09.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: memcpy
12 * BadSink : Copy twoIntsStruct array to data using memcpy
13 * Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_09_bad()
22{
23 twoIntsStruct * data;
24 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));
25 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));
26 if(GLOBAL_CONST_TRUE)
27 {
28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
29 * buffer in various memory copying functions using a "large" source buffer. */
30 data = dataBadBuffer;
31 }
32 {
33 twoIntsStruct source[100];
34 {
35 size_t i;
36 /* Initialize array */
37 for (i = 0; i < 100; i++)
38 {
39 source[i].intOne = 0;
40 source[i].intTwo = 0;
41 }
42 }
43 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
44 memcpy(data, source, 100*sizeof(twoIntsStruct));❗VULN
45 printStructLine(&data[0]);
46 }
47}
48
49#endif /* OMITBAD */
50
51#ifndef OMITGOOD
52
53/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */
54static void goodG2B1()
55{
56 twoIntsStruct * data;
57 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));
58 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));
59 if(GLOBAL_CONST_FALSE)
60 {
61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
62 printLine("Benign, fixed string");
63 }
64 else
65 {
66 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
67 data = dataGoodBuffer;
68 }
69 {
70 twoIntsStruct source[100];
71 {
72 size_t i;
73 /* Initialize array */
74 for (i = 0; i < 100; i++)
75 {
76 source[i].intOne = 0;
77 source[i].intTwo = 0;
78 }
79 }
80 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
81 memcpy(data, source, 100*sizeof(twoIntsStruct));
82 printStructLine(&data[0]);
83 }
84}
85
86/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
87static void goodG2B2()
88{
89 twoIntsStruct * data;
90 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));
91 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));
92 if(GLOBAL_CONST_TRUE)
93 {
94 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
95 data = dataGoodBuffer;
96 }
97 {
98 twoIntsStruct source[100];
99 {
100 size_t i;
101 /* Initialize array */
102 for (i = 0; i < 100; i++)
103 {
104 source[i].intOne = 0;
105 source[i].intTwo = 0;
106 }
107 }
108 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
109 memcpy(data, source, 100*sizeof(twoIntsStruct));
110 printStructLine(&data[0]);
111 }
112}
113
114void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_09_good()
115{
116 goodG2B1();
117 goodG2B2();
118}
119
120#endif /* OMITGOOD */
121
122/* Below is the main(). It is only used when building this testcase on
123 * its own for testing or for building a binary to use in testing binary
124 * analysis tools. It is not used when compiling all the testcases as one
125 * application, which is how source code analysis tools are tested.
126 */
127
128#ifdef INCLUDEMAIN
129
130int main(int argc, char * argv[])
131{
132 /* seed randomness */
133 srand( (unsigned)time(NULL) );
134#ifndef OMITGOOD
135 printLine("Calling good()...");
136 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_09_good();
137 printLine("Finished good()");
138#endif /* OMITGOOD */
139#ifndef OMITBAD
140 printLine("Calling bad()...");
141 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_memcpy_09_bad();
142 printLine("Finished bad()");
143#endif /* OMITBAD */
144 return 0;
145}
146
147#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9211: CWE124_Buffer_Underwrite__new_char_memcpy_07.cpp

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__new_char_memcpy_07.cpp
3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml
4Template File: sources-sink-07.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memcpy
12 * BadSink : Copy string to data using memcpy
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is not declared "const", but is never assigned
22 any other value so a tool should be able to identify that reads of
23 this will always give its initialized value. */
24static int staticFive = 5;
25
26namespace CWE124_Buffer_Underwrite__new_char_memcpy_07
27{
28
29#ifndef OMITBAD
30
31void bad()
32{
33 char * data;
34 data = NULL;
35 if(staticFive==5)
36 {
37 {
38 char * dataBuffer = new char[100];
39 memset(dataBuffer, 'A', 100-1);
40 dataBuffer[100-1] = '\0';
41 /* FLAW: Set data pointer to before the allocated memory buffer */
42 data = dataBuffer - 8;
43 }
44 }
45 {
46 char source[100];
47 memset(source, 'C', 100-1); /* fill with 'C's */
48 source[100-1] = '\0'; /* null terminate */
49 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
50 memcpy(data, source, 100*sizeof(char));❗VULN
51 /* Ensure the destination buffer is null terminated */
52 data[100-1] = '\0';
53 printLine(data);
54 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
55 * returned by new [] so can't safely call delete [] on it */
56 }
57}
58
59#endif /* OMITBAD */
60
61#ifndef OMITGOOD
62
63/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
64static void goodG2B1()
65{
66 char * data;
67 data = NULL;
68 if(staticFive!=5)
69 {
70 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
71 printLine("Benign, fixed string");
72 }
73 else
74 {
75 {
76 char * dataBuffer = new char[100];
77 memset(dataBuffer, 'A', 100-1);
78 dataBuffer[100-1] = '\0';
79 /* FIX: Set data pointer to the allocated memory buffer */
80 data = dataBuffer;
81 }
82 }
83 {
84 char source[100];
85 memset(source, 'C', 100-1); /* fill with 'C's */
86 source[100-1] = '\0'; /* null terminate */
87 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
88 memcpy(data, source, 100*sizeof(char));
89 /* Ensure the destination buffer is null terminated */
90 data[100-1] = '\0';
91 printLine(data);
92 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
93 * returned by new [] so can't safely call delete [] on it */
94 }
95}
96
97/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
98static void goodG2B2()
99{
100 char * data;
101 data = NULL;
102 if(staticFive==5)
103 {
104 {
105 char * dataBuffer = new char[100];
106 memset(dataBuffer, 'A', 100-1);
107 dataBuffer[100-1] = '\0';
108 /* FIX: Set data pointer to the allocated memory buffer */
109 data = dataBuffer;
110 }
111 }
112 {
113 char source[100];
114 memset(source, 'C', 100-1); /* fill with 'C's */
115 source[100-1] = '\0'; /* null terminate */
116 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
117 memcpy(data, source, 100*sizeof(char));
118 /* Ensure the destination buffer is null terminated */
119 data[100-1] = '\0';
120 printLine(data);
121 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
122 * returned by new [] so can't safely call delete [] on it */
123 }
124}
125
126void good()
127{
128 goodG2B1();
129 goodG2B2();
130}
131
132#endif /* OMITGOOD */
133
134} /* close namespace */
135
136/* Below is the main(). It is only used when building this testcase on
137 its own for testing or for building a binary to use in testing binary
138 analysis tools. It is not used when compiling all the testcases as one
139 application, which is how source code analysis tools are tested. */
140
141#ifdef INCLUDEMAIN
142
143using namespace CWE124_Buffer_Underwrite__new_char_memcpy_07; /* so that we can use good and bad easily */
144
145int main(int argc, char * argv[])
146{
147 /* seed randomness */
148 srand( (unsigned)time(NULL) );
149#ifndef OMITGOOD
150 printLine("Calling good()...");
151 good();
152 printLine("Finished good()");
153#endif /* OMITGOOD */
154#ifndef OMITBAD
155 printLine("Calling bad()...");
156 bad();
157 printLine("Finished bad()");
158#endif /* OMITBAD */
159 return 0;
160}
161
162#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4473: CWE126_Buffer_Overread__CWE170_char_memcpy_18.c

Nodes: 7 | Sink Nodes: 2 predicted, 2 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__CWE170_char_memcpy_18.c
3Label Definition File: CWE126_Buffer_Overread__CWE170.label.xml
4Template File: point-flaw-18.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Overread
9 * Sinks: memcpy
10 * GoodSink: Copy a string using memcpy with explicit null termination
11 * BadSink : Copy a string using memcpy without explicit null termination
12 * Flow Variant: 18 Control flow: goto statements
13 *
14 * */
15
16#include "std_testcase.h"
17
18#include <wchar.h>
19
20#ifndef OMITBAD
21
22void CWE126_Buffer_Overread__CWE170_char_memcpy_18_bad()
23{
24 goto sink;
25sink:
26 {
27 char data[150], dest[100];
28 /* Initialize data */
29 memset(data, 'A', 149);
30 data[149] = '\0';
31 memcpy(dest, data, 99*sizeof(char));❗VULN
32 /* FLAW: do not explicitly null terminate dest after the use of memcpy */
33 printLine(dest);❗VULN
34 }
35}
36
37#endif /* OMITBAD */
38
39#ifndef OMITGOOD
40
41/* good1() reverses the blocks on the goto statement */
42static void good1()
43{
44 goto sink;
45sink:
46 {
47 char data[150], dest[100];
48 /* Initialize data */
49 memset(data, 'A', 149);
50 data[149] = '\0';
51 memcpy(dest, data, 99*sizeof(char));
52 dest[99] = '\0'; /* FIX: null terminate dest */
53 printLine(dest);
54 }
55}
56
57void CWE126_Buffer_Overread__CWE170_char_memcpy_18_good()
58{
59 good1();
60}
61
62#endif /* OMITGOOD */
63
64/* Below is the main(). It is only used when building this testcase on
65 its own for testing or for building a binary to use in testing binary
66 analysis tools. It is not used when compiling all the testcases as one
67 application, which is how source code analysis tools are tested. */
68
69#ifdef INCLUDEMAIN
70
71int main(int argc, char * argv[])
72{
73 /* seed randomness */
74 srand( (unsigned)time(NULL) );
75#ifndef OMITGOOD
76 printLine("Calling good()...");
77 CWE126_Buffer_Overread__CWE170_char_memcpy_18_good();
78 printLine("Finished good()");
79#endif /* OMITGOOD */
80#ifndef OMITBAD
81 printLine("Calling bad()...");
82 CWE126_Buffer_Overread__CWE170_char_memcpy_18_bad();
83 printLine("Finished bad()");
84#endif /* OMITBAD */
85 return 0;
86}
87
88#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5494: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_05.c

Nodes: 18 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_05.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-05.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: loop
12 * BadSink : Copy twoIntsStruct array to data using a loop
13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19/* The two variables below are not defined as "const", but are never
20 * assigned any other value, so a tool should be able to identify that
21 * reads of these will always return their initialized values.
22 */
23static int staticTrue = 1; /* true */
24static int staticFalse = 0; /* false */
25
26#ifndef OMITBAD
27
28void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_05_bad()
29{
30 twoIntsStruct * data;
31 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));
32 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));
33 if(staticTrue)
34 {
35 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
36 * buffer in various memory copying functions using a "large" source buffer. */
37 data = dataBadBuffer;
38 }
39 {
40 twoIntsStruct source[100];
41 {
42 size_t i;
43 /* Initialize array */
44 for (i = 0; i < 100; i++)
45 {
46 source[i].intOne = 0;
47 source[i].intTwo = 0;
48 }
49 }
50 {
51 size_t i;
52 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
53 for (i = 0; i < 100; i++)
54 {
55 data[i] = source[i];❗VULN
56 }
57 printStructLine(&data[0]);
58 }
59 }
60}
61
62#endif /* OMITBAD */
63
64#ifndef OMITGOOD
65
66/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */
67static void goodG2B1()
68{
69 twoIntsStruct * data;
70 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));
71 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));
72 if(staticFalse)
73 {
74 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
75 printLine("Benign, fixed string");
76 }
77 else
78 {
79 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
80 data = dataGoodBuffer;
81 }
82 {
83 twoIntsStruct source[100];
84 {
85 size_t i;
86 /* Initialize array */
87 for (i = 0; i < 100; i++)
88 {
89 source[i].intOne = 0;
90 source[i].intTwo = 0;
91 }
92 }
93 {
94 size_t i;
95 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
96 for (i = 0; i < 100; i++)
97 {
98 data[i] = source[i];
99 }
100 printStructLine(&data[0]);
101 }
102 }
103}
104
105/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
106static void goodG2B2()
107{
108 twoIntsStruct * data;
109 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));
110 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));
111 if(staticTrue)
112 {
113 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
114 data = dataGoodBuffer;
115 }
116 {
117 twoIntsStruct source[100];
118 {
119 size_t i;
120 /* Initialize array */
121 for (i = 0; i < 100; i++)
122 {
123 source[i].intOne = 0;
124 source[i].intTwo = 0;
125 }
126 }
127 {
128 size_t i;
129 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
130 for (i = 0; i < 100; i++)
131 {
132 data[i] = source[i];
133 }
134 printStructLine(&data[0]);
135 }
136 }
137}
138
139void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_05_good()
140{
141 goodG2B1();
142 goodG2B2();
143}
144
145#endif /* OMITGOOD */
146
147/* Below is the main(). It is only used when building this testcase on
148 * its own for testing or for building a binary to use in testing binary
149 * analysis tools. It is not used when compiling all the testcases as one
150 * application, which is how source code analysis tools are tested.
151 */
152
153#ifdef INCLUDEMAIN
154
155int main(int argc, char * argv[])
156{
157 /* seed randomness */
158 srand( (unsigned)time(NULL) );
159#ifndef OMITGOOD
160 printLine("Calling good()...");
161 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_05_good();
162 printLine("Finished good()");
163#endif /* OMITGOOD */
164#ifndef OMITBAD
165 printLine("Calling bad()...");
166 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_05_bad();
167 printLine("Finished bad()");
168#endif /* OMITBAD */
169 return 0;
170}
171
172#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8974: CWE122_Heap_Based_Buffer_Overflow__cpp_dest_char_cat_01.cpp

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_dest_char_cat_01.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_dest.label.xml
4Template File: sources-sink-01.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: cat
12 * BadSink : Copy string to data using strcat
13 * Flow Variant: 01 Baseline
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_dest_char_cat_01
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 char * data;
29 data = NULL;
30 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
31 data = new char[50];
32 data[0] = '\0'; /* null terminate */
33 {
34 char source[100];
35 memset(source, 'C', 100-1); /* fill with 'C's */
36 source[100-1] = '\0'; /* null terminate */
37 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
38 strcat(data, source);❗VULN
39 printLine(data);
40 delete [] data;
41 }
42}
43
44#endif /* OMITBAD */
45
46#ifndef OMITGOOD
47
48/* goodG2B uses the GoodSource with the BadSink */
49static void goodG2B()
50{
51 char * data;
52 data = NULL;
53 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
54 data = new char[100];
55 data[0] = '\0'; /* null terminate */
56 {
57 char source[100];
58 memset(source, 'C', 100-1); /* fill with 'C's */
59 source[100-1] = '\0'; /* null terminate */
60 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
61 strcat(data, source);
62 printLine(data);
63 delete [] data;
64 }
65}
66
67void good()
68{
69 goodG2B();
70}
71
72#endif /* OMITGOOD */
73
74} /* close namespace */
75
76/* Below is the main(). It is only used when building this testcase on
77 its own for testing or for building a binary to use in testing binary
78 analysis tools. It is not used when compiling all the testcases as one
79 application, which is how source code analysis tools are tested. */
80
81#ifdef INCLUDEMAIN
82
83using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_dest_char_cat_01; /* so that we can use good and bad easily */
84
85int main(int argc, char * argv[])
86{
87 /* seed randomness */
88 srand( (unsigned)time(NULL) );
89#ifndef OMITGOOD
90 printLine("Calling good()...");
91 good();
92 printLine("Finished good()");
93#endif /* OMITGOOD */
94#ifndef OMITBAD
95 printLine("Calling bad()...");
96 bad();
97 printLine("Finished bad()");
98#endif /* OMITBAD */
99 return 0;
100}
101
102#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3747: CWE127_Buffer_Underread__malloc_wchar_t_memcpy_13.c

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_wchar_t_memcpy_13.c
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-13.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__malloc_wchar_t_memcpy_13_bad()
24{
25 wchar_t * data;
26 data = NULL;
27 if(GLOBAL_CONST_FIVE==5)
28 {
29 {
30 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
31 if (dataBuffer == NULL) {exit(-1);}
32 wmemset(dataBuffer, L'A', 100-1);
33 dataBuffer[100-1] = L'\0';
34 /* FLAW: Set data pointer to before the allocated memory buffer */
35 data = dataBuffer - 8;
36 }
37 }
38 {
39 wchar_t dest[100];
40 wmemset(dest, L'C', 100-1); /* fill with 'C's */
41 dest[100-1] = L'\0'; /* null terminate */
42 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
43 memcpy(dest, data, 100*sizeof(wchar_t));❗VULN
44 /* Ensure null termination */
45 dest[100-1] = L'\0';
46 printWLine(dest);
47 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
48 * returned by malloc() so can't safely call free() on it */
49 }
50}
51
52#endif /* OMITBAD */
53
54#ifndef OMITGOOD
55
56/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */
57static void goodG2B1()
58{
59 wchar_t * data;
60 data = NULL;
61 if(GLOBAL_CONST_FIVE!=5)
62 {
63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
64 printLine("Benign, fixed string");
65 }
66 else
67 {
68 {
69 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
70 if (dataBuffer == NULL) {exit(-1);}
71 wmemset(dataBuffer, L'A', 100-1);
72 dataBuffer[100-1] = L'\0';
73 /* FIX: Set data pointer to the allocated memory buffer */
74 data = dataBuffer;
75 }
76 }
77 {
78 wchar_t dest[100];
79 wmemset(dest, L'C', 100-1); /* fill with 'C's */
80 dest[100-1] = L'\0'; /* null terminate */
81 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
82 memcpy(dest, data, 100*sizeof(wchar_t));
83 /* Ensure null termination */
84 dest[100-1] = L'\0';
85 printWLine(dest);
86 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
87 * returned by malloc() so can't safely call free() on it */
88 }
89}
90
91/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
92static void goodG2B2()
93{
94 wchar_t * data;
95 data = NULL;
96 if(GLOBAL_CONST_FIVE==5)
97 {
98 {
99 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
100 if (dataBuffer == NULL) {exit(-1);}
101 wmemset(dataBuffer, L'A', 100-1);
102 dataBuffer[100-1] = L'\0';
103 /* FIX: Set data pointer to the allocated memory buffer */
104 data = dataBuffer;
105 }
106 }
107 {
108 wchar_t dest[100];
109 wmemset(dest, L'C', 100-1); /* fill with 'C's */
110 dest[100-1] = L'\0'; /* null terminate */
111 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
112 memcpy(dest, data, 100*sizeof(wchar_t));
113 /* Ensure null termination */
114 dest[100-1] = L'\0';
115 printWLine(dest);
116 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
117 * returned by malloc() so can't safely call free() on it */
118 }
119}
120
121void CWE127_Buffer_Underread__malloc_wchar_t_memcpy_13_good()
122{
123 goodG2B1();
124 goodG2B2();
125}
126
127#endif /* OMITGOOD */
128
129/* Below is the main(). It is only used when building this testcase on
130 * its own for testing or for building a binary to use in testing binary
131 * analysis tools. It is not used when compiling all the testcases as one
132 * application, which is how source code analysis tools are tested.
133 */
134
135#ifdef INCLUDEMAIN
136
137int main(int argc, char * argv[])
138{
139 /* seed randomness */
140 srand( (unsigned)time(NULL) );
141#ifndef OMITGOOD
142 printLine("Calling good()...");
143 CWE127_Buffer_Underread__malloc_wchar_t_memcpy_13_good();
144 printLine("Finished good()");
145#endif /* OMITGOOD */
146#ifndef OMITBAD
147 printLine("Calling bad()...");
148 CWE127_Buffer_Underread__malloc_wchar_t_memcpy_13_bad();
149 printLine("Finished bad()");
150#endif /* OMITBAD */
151 return 0;
152}
153
154#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3831: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22a.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22a.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml
4Template File: sources-sink-22a.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: snprintf
12 * BadSink : Copy data to string using snprintf
13 * Flow Variant: 22 Control flow: Flow controlled by value of a global variable. Sink functions are in a separate file from sources.
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifdef _WIN32
22#define SNPRINTF _snprintf
23#else
24#define SNPRINTF snprintf
25#endif
26
27#ifndef OMITBAD
28
29/* The global variable below is used to drive control flow in the source function */
30int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_badGlobal = 0;
31
32char * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_badSource(char * data);
33
34void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_bad()
35{
36 char * data;
37 data = (char *)malloc(100*sizeof(char));
38 if (data == NULL) {exit(-1);}
39 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_badGlobal = 1; /* true */
40 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_badSource(data);
41 {
42 char dest[50] = "";
43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
44 SNPRINTF(dest, strlen(data), "%s", data);❗VULN
45 printLine(data);
46 free(data);
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* The global variables below are used to drive control flow in the source functions. */
55int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_goodG2B1Global = 0;
56int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_goodG2B2Global = 0;
57
58/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */
59char * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_goodG2B1Source(char * data);
60
61static void goodG2B1()
62{
63 char * data;
64 data = (char *)malloc(100*sizeof(char));
65 if (data == NULL) {exit(-1);}
66 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_goodG2B1Global = 0; /* false */
67 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_goodG2B1Source(data);
68 {
69 char dest[50] = "";
70 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
71 SNPRINTF(dest, strlen(data), "%s", data);
72 printLine(data);
73 free(data);
74 }
75}
76
77/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */
78char * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_goodG2B2Source(char * data);
79
80static void goodG2B2()
81{
82 char * data;
83 data = (char *)malloc(100*sizeof(char));
84 if (data == NULL) {exit(-1);}
85 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_goodG2B2Global = 1; /* true */
86 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_goodG2B2Source(data);
87 {
88 char dest[50] = "";
89 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
90 SNPRINTF(dest, strlen(data), "%s", data);
91 printLine(data);
92 free(data);
93 }
94}
95
96void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_good()
97{
98 goodG2B1();
99 goodG2B2();
100}
101
102#endif /* OMITGOOD */
103
104/* Below is the main(). It is only used when building this testcase on
105 * its own for testing or for building a binary to use in testing binary
106 * analysis tools. It is not used when compiling all the testcases as one
107 * application, which is how source code analysis tools are tested.
108 */
109
110#ifdef INCLUDEMAIN
111
112int main(int argc, char * argv[])
113{
114 /* seed randomness */
115 srand( (unsigned)time(NULL) );
116#ifndef OMITGOOD
117 printLine("Calling good()...");
118 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_good();
119 printLine("Finished good()");
120#endif /* OMITGOOD */
121#ifndef OMITBAD
122 printLine("Calling bad()...");
123 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_22_bad();
124 printLine("Finished bad()");
125#endif /* OMITBAD */
126 return 0;
127}
128
129#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8538: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_snprintf_15.c

Nodes: 18 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_snprintf_15.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4Template File: sources-sink-15.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sink: swprintf
12 * BadSink : Copy string to data using swprintf
13 * Flow Variant: 15 Control flow: switch(6)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifdef _WIN32
22#define SNPRINTF _snwprintf
23#else
24#define SNPRINTF swprintf
25#endif
26
27#ifndef OMITBAD
28
29void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_snprintf_15_bad()
30{
31 wchar_t * data;
32 data = NULL;
33 switch(6)
34 {
35 case 6:
36 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
37 data = (wchar_t *)malloc(50*sizeof(wchar_t));
38 if (data == NULL) {exit(-1);}
39 data[0] = L'\0'; /* null terminate */
40 break;
41 default:
42 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
43 printLine("Benign, fixed string");
44 break;
45 }
46 {
47 wchar_t source[100];
48 wmemset(source, L'C', 100-1); /* fill with L'C's */
49 source[100-1] = L'\0'; /* null terminate */
50 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
51 SNPRINTF(data, 100, L"%s", source);❗VULN
52 printWLine(data);
53 free(data);
54 }
55}
56
57#endif /* OMITBAD */
58
59#ifndef OMITGOOD
60
61/* goodG2B1() - use goodsource and badsink by changing the switch to switch(5) */
62static void goodG2B1()
63{
64 wchar_t * data;
65 data = NULL;
66 switch(5)
67 {
68 case 6:
69 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
70 printLine("Benign, fixed string");
71 break;
72 default:
73 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
74 data = (wchar_t *)malloc(100*sizeof(wchar_t));
75 if (data == NULL) {exit(-1);}
76 data[0] = L'\0'; /* null terminate */
77 break;
78 }
79 {
80 wchar_t source[100];
81 wmemset(source, L'C', 100-1); /* fill with L'C's */
82 source[100-1] = L'\0'; /* null terminate */
83 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
84 SNPRINTF(data, 100, L"%s", source);
85 printWLine(data);
86 free(data);
87 }
88}
89
90/* goodG2B2() - use goodsource and badsink by reversing the blocks in the switch */
91static void goodG2B2()
92{
93 wchar_t * data;
94 data = NULL;
95 switch(6)
96 {
97 case 6:
98 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
99 data = (wchar_t *)malloc(100*sizeof(wchar_t));
100 if (data == NULL) {exit(-1);}
101 data[0] = L'\0'; /* null terminate */
102 break;
103 default:
104 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
105 printLine("Benign, fixed string");
106 break;
107 }
108 {
109 wchar_t source[100];
110 wmemset(source, L'C', 100-1); /* fill with L'C's */
111 source[100-1] = L'\0'; /* null terminate */
112 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
113 SNPRINTF(data, 100, L"%s", source);
114 printWLine(data);
115 free(data);
116 }
117}
118
119void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_snprintf_15_good()
120{
121 goodG2B1();
122 goodG2B2();
123}
124
125#endif /* OMITGOOD */
126
127/* Below is the main(). It is only used when building this testcase on
128 * its own for testing or for building a binary to use in testing binary
129 * analysis tools. It is not used when compiling all the testcases as one
130 * application, which is how source code analysis tools are tested.
131 */
132
133#ifdef INCLUDEMAIN
134
135int main(int argc, char * argv[])
136{
137 /* seed randomness */
138 srand( (unsigned)time(NULL) );
139#ifndef OMITGOOD
140 printLine("Calling good()...");
141 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_snprintf_15_good();
142 printLine("Finished good()");
143#endif /* OMITGOOD */
144#ifndef OMITBAD
145 printLine("Calling bad()...");
146 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_snprintf_15_bad();
147 printLine("Finished bad()");
148#endif /* OMITBAD */
149 return 0;
150}
151
152#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5692: CWE124_Buffer_Underwrite__CWE839_listen_socket_01.c

Nodes: 47 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__CWE839_listen_socket_01.c
3Label Definition File: CWE124_Buffer_Underwrite__CWE839.label.xml
4Template File: sources-sinks-01.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: listen_socket Read data using a listen socket (server side)
10 * GoodSource: Non-negative but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the lower bound
14 * Flow Variant: 01 Baseline
15 *
16 * */
17
18#include "std_testcase.h"
19
20#ifdef _WIN32
21#include <winsock2.h>
22#include <windows.h>
23#include <direct.h>
24#pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */
25#define CLOSE_SOCKET closesocket
26#else
27#include <sys/types.h>
28#include <sys/socket.h>
29#include <netinet/in.h>
30#include <arpa/inet.h>
31#include <unistd.h>
32#define INVALID_SOCKET -1
33#define SOCKET_ERROR -1
34#define CLOSE_SOCKET close
35#define SOCKET int
36#endif
37
38#define TCP_PORT 27015
39#define LISTEN_BACKLOG 5
40#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)
41
42#ifndef OMITBAD
43
44void CWE124_Buffer_Underwrite__CWE839_listen_socket_01_bad()
45{
46 int data;
47 /* Initialize data */
48 data = -1;
49 {
50#ifdef _WIN32
51 WSADATA wsaData;
52 int wsaDataInit = 0;
53#endif
54 int recvResult;
55 struct sockaddr_in service;
56 SOCKET listenSocket = INVALID_SOCKET;
57 SOCKET acceptSocket = INVALID_SOCKET;
58 char inputBuffer[CHAR_ARRAY_SIZE];
59 do
60 {
61#ifdef _WIN32
62 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
63 {
64 break;
65 }
66 wsaDataInit = 1;
67#endif
68 /* POTENTIAL FLAW: Read data using a listen socket */
69 listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
70 if (listenSocket == INVALID_SOCKET)
71 {
72 break;
73 }
74 memset(&service, 0, sizeof(service));
75 service.sin_family = AF_INET;
76 service.sin_addr.s_addr = INADDR_ANY;
77 service.sin_port = htons(TCP_PORT);
78 if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
79 {
80 break;
81 }
82 if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR)
83 {
84 break;
85 }
86 acceptSocket = accept(listenSocket, NULL, NULL);
87 if (acceptSocket == SOCKET_ERROR)
88 {
89 break;
90 }
91 /* Abort on error or the connection was closed */
92 recvResult = recv(acceptSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
93 if (recvResult == SOCKET_ERROR || recvResult == 0)
94 {
95 break;
96 }
97 /* NUL-terminate the string */
98 inputBuffer[recvResult] = '\0';
99 /* Convert to int */
100 data = atoi(inputBuffer);
101 }
102 while (0);
103 if (listenSocket != INVALID_SOCKET)
104 {
105 CLOSE_SOCKET(listenSocket);
106 }
107 if (acceptSocket != INVALID_SOCKET)
108 {
109 CLOSE_SOCKET(acceptSocket);
110 }
111#ifdef _WIN32
112 if (wsaDataInit)
113 {
114 WSACleanup();
115 }
116#endif
117 }
118 {
119 int i;
120 int buffer[10] = { 0 };
121 /* POTENTIAL FLAW: Attempt to access a negative index of the array
122 * This code does not check to see if the array index is negative */
123 if (data < 10)
124 {
125 buffer[data] = 1;❗VULN
126 /* Print the array values */
127 for(i = 0; i < 10; i++)
128 {
129 printIntLine(buffer[i]);
130 }
131 }
132 else
133 {
134 printLine("ERROR: Array index is negative.");
135 }
136 }
137}
138
139#endif /* OMITBAD */
140
141#ifndef OMITGOOD
142
143/* goodG2B uses the GoodSource with the BadSink */
144static void goodG2B()
145{
146 int data;
147 /* Initialize data */
148 data = -1;
149 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
150 * access an index of the array in the sink that is out-of-bounds */
151 data = 7;
152 {
153 int i;
154 int buffer[10] = { 0 };
155 /* POTENTIAL FLAW: Attempt to access a negative index of the array
156 * This code does not check to see if the array index is negative */
157 if (data < 10)
158 {
159 buffer[data] = 1;
160 /* Print the array values */
161 for(i = 0; i < 10; i++)
162 {
163 printIntLine(buffer[i]);
164 }
165 }
166 else
167 {
168 printLine("ERROR: Array index is negative.");
169 }
170 }
171}
172
173/* goodB2G uses the BadSource with the GoodSink */
174static void goodB2G()
175{
176 int data;
177 /* Initialize data */
178 data = -1;
179 {
180#ifdef _WIN32
181 WSADATA wsaData;
182 int wsaDataInit = 0;
183#endif
184 int recvResult;
185 struct sockaddr_in service;
186 SOCKET listenSocket = INVALID_SOCKET;
187 SOCKET acceptSocket = INVALID_SOCKET;
188 char inputBuffer[CHAR_ARRAY_SIZE];
189 do
190 {
191#ifdef _WIN32
192 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
193 {
194 break;
195 }
196 wsaDataInit = 1;
197#endif
198 /* POTENTIAL FLAW: Read data using a listen socket */
199 listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
200 if (listenSocket == INVALID_SOCKET)
201 {
202 break;
203 }
204 memset(&service, 0, sizeof(service));
205 service.sin_family = AF_INET;
206 service.sin_addr.s_addr = INADDR_ANY;
207 service.sin_port = htons(TCP_PORT);
208 if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
209 {
210 break;
211 }
212 if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR)
213 {
214 break;
215 }
216 acceptSocket = accept(listenSocket, NULL, NULL);
217 if (acceptSocket == SOCKET_ERROR)
218 {
219 break;
220 }
221 /* Abort on error or the connection was closed */
222 recvResult = recv(acceptSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
223 if (recvResult == SOCKET_ERROR || recvResult == 0)
224 {
225 break;
226 }
227 /* NUL-terminate the string */
228 inputBuffer[recvResult] = '\0';
229 /* Convert to int */
230 data = atoi(inputBuffer);
231 }
232 while (0);
233 if (listenSocket != INVALID_SOCKET)
234 {
235 CLOSE_SOCKET(listenSocket);
236 }
237 if (acceptSocket != INVALID_SOCKET)
238 {
239 CLOSE_SOCKET(acceptSocket);
240 }
241#ifdef _WIN32
242 if (wsaDataInit)
243 {
244 WSACleanup();
245 }
246#endif
247 }
248 {
249 int i;
250 int buffer[10] = { 0 };
251 /* FIX: Properly validate the array index and prevent a buffer underwrite */
252 if (data >= 0 && data < (10))
253 {
254 buffer[data] = 1;
255 /* Print the array values */
256 for(i = 0; i < 10; i++)
257 {
258 printIntLine(buffer[i]);
259 }
260 }
261 else
262 {
263 printLine("ERROR: Array index is out-of-bounds");
264 }
265 }
266}
267
268void CWE124_Buffer_Underwrite__CWE839_listen_socket_01_good()
269{
270 goodG2B();
271 goodB2G();
272}
273
274#endif /* OMITGOOD */
275
276/* Below is the main(). It is only used when building this testcase on
277 its own for testing or for building a binary to use in testing binary
278 analysis tools. It is not used when compiling all the testcases as one
279 application, which is how source code analysis tools are tested. */
280
281#ifdef INCLUDEMAIN
282
283int main(int argc, char * argv[])
284{
285 /* seed randomness */
286 srand( (unsigned)time(NULL) );
287#ifndef OMITGOOD
288 printLine("Calling good()...");
289 CWE124_Buffer_Underwrite__CWE839_listen_socket_01_good();
290 printLine("Finished good()");
291#endif /* OMITGOOD */
292#ifndef OMITBAD
293 printLine("Calling bad()...");
294 CWE124_Buffer_Underwrite__CWE839_listen_socket_01_bad();
295 printLine("Finished bad()");
296#endif /* OMITBAD */
297 return 0;
298}
299
300#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6742: CWE127_Buffer_Underread__malloc_char_cpy_05.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_char_cpy_05.c
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-05.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: cpy
12 * BadSink : Copy data to string using strcpy
13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are not defined as "const", but are never
22 * assigned any other value, so a tool should be able to identify that
23 * reads of these will always return their initialized values.
24 */
25static int staticTrue = 1; /* true */
26static int staticFalse = 0; /* false */
27
28#ifndef OMITBAD
29
30void CWE127_Buffer_Underread__malloc_char_cpy_05_bad()
31{
32 char * data;
33 data = NULL;
34 if(staticTrue)
35 {
36 {
37 char * dataBuffer = (char *)malloc(100*sizeof(char));
38 if (dataBuffer == NULL) {exit(-1);}
39 memset(dataBuffer, 'A', 100-1);
40 dataBuffer[100-1] = '\0';
41 /* FLAW: Set data pointer to before the allocated memory buffer */
42 data = dataBuffer - 8;
43 }
44 }
45 {
46 char dest[100*2];
47 memset(dest, 'C', 100*2-1); /* fill with 'C's */
48 dest[100*2-1] = '\0'; /* null terminate */
49 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
50 strcpy(dest, data);❗VULN
51 printLine(dest);
52 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
53 * returned by malloc() so can't safely call free() on it */
54 }
55}
56
57#endif /* OMITBAD */
58
59#ifndef OMITGOOD
60
61/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */
62static void goodG2B1()
63{
64 char * data;
65 data = NULL;
66 if(staticFalse)
67 {
68 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
69 printLine("Benign, fixed string");
70 }
71 else
72 {
73 {
74 char * dataBuffer = (char *)malloc(100*sizeof(char));
75 if (dataBuffer == NULL) {exit(-1);}
76 memset(dataBuffer, 'A', 100-1);
77 dataBuffer[100-1] = '\0';
78 /* FIX: Set data pointer to the allocated memory buffer */
79 data = dataBuffer;
80 }
81 }
82 {
83 char dest[100*2];
84 memset(dest, 'C', 100*2-1); /* fill with 'C's */
85 dest[100*2-1] = '\0'; /* null terminate */
86 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
87 strcpy(dest, data);
88 printLine(dest);
89 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
90 * returned by malloc() so can't safely call free() on it */
91 }
92}
93
94/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
95static void goodG2B2()
96{
97 char * data;
98 data = NULL;
99 if(staticTrue)
100 {
101 {
102 char * dataBuffer = (char *)malloc(100*sizeof(char));
103 if (dataBuffer == NULL) {exit(-1);}
104 memset(dataBuffer, 'A', 100-1);
105 dataBuffer[100-1] = '\0';
106 /* FIX: Set data pointer to the allocated memory buffer */
107 data = dataBuffer;
108 }
109 }
110 {
111 char dest[100*2];
112 memset(dest, 'C', 100*2-1); /* fill with 'C's */
113 dest[100*2-1] = '\0'; /* null terminate */
114 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
115 strcpy(dest, data);
116 printLine(dest);
117 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
118 * returned by malloc() so can't safely call free() on it */
119 }
120}
121
122void CWE127_Buffer_Underread__malloc_char_cpy_05_good()
123{
124 goodG2B1();
125 goodG2B2();
126}
127
128#endif /* OMITGOOD */
129
130/* Below is the main(). It is only used when building this testcase on
131 * its own for testing or for building a binary to use in testing binary
132 * analysis tools. It is not used when compiling all the testcases as one
133 * application, which is how source code analysis tools are tested.
134 */
135
136#ifdef INCLUDEMAIN
137
138int main(int argc, char * argv[])
139{
140 /* seed randomness */
141 srand( (unsigned)time(NULL) );
142#ifndef OMITGOOD
143 printLine("Calling good()...");
144 CWE127_Buffer_Underread__malloc_char_cpy_05_good();
145 printLine("Finished good()");
146#endif /* OMITGOOD */
147#ifndef OMITBAD
148 printLine("Calling bad()...");
149 CWE127_Buffer_Underread__malloc_char_cpy_05_bad();
150 printLine("Finished bad()");
151#endif /* OMITBAD */
152 return 0;
153}
154
155#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7464: CWE127_Buffer_Underread__wchar_t_declare_ncpy_02.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__wchar_t_declare_ncpy_02.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-02.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: ncpy
12 * BadSink : Copy data to string using wcsncpy
13 * Flow Variant: 02 Control flow: if(1) and if(0)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__wchar_t_declare_ncpy_02_bad()
24{
25 wchar_t * data;
26 wchar_t dataBuffer[100];
27 wmemset(dataBuffer, L'A', 100-1);
28 dataBuffer[100-1] = L'\0';
29 if(1)
30 {
31 /* FLAW: Set data pointer to before the allocated memory buffer */
32 data = dataBuffer - 8;
33 }
34 {
35 wchar_t dest[100];
36 wmemset(dest, L'C', 100-1); /* fill with 'C's */
37 dest[100-1] = L'\0'; /* null terminate */
38 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
39 wcsncpy(dest, data, wcslen(dest));❗VULN
40 /* Ensure null termination */
41 dest[100-1] = L'\0';
42 printWLine(dest);
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */
51static void goodG2B1()
52{
53 wchar_t * data;
54 wchar_t dataBuffer[100];
55 wmemset(dataBuffer, L'A', 100-1);
56 dataBuffer[100-1] = L'\0';
57 if(0)
58 {
59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
60 printLine("Benign, fixed string");
61 }
62 else
63 {
64 /* FIX: Set data pointer to the allocated memory buffer */
65 data = dataBuffer;
66 }
67 {
68 wchar_t dest[100];
69 wmemset(dest, L'C', 100-1); /* fill with 'C's */
70 dest[100-1] = L'\0'; /* null terminate */
71 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
72 wcsncpy(dest, data, wcslen(dest));
73 /* Ensure null termination */
74 dest[100-1] = L'\0';
75 printWLine(dest);
76 }
77}
78
79/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
80static void goodG2B2()
81{
82 wchar_t * data;
83 wchar_t dataBuffer[100];
84 wmemset(dataBuffer, L'A', 100-1);
85 dataBuffer[100-1] = L'\0';
86 if(1)
87 {
88 /* FIX: Set data pointer to the allocated memory buffer */
89 data = dataBuffer;
90 }
91 {
92 wchar_t dest[100];
93 wmemset(dest, L'C', 100-1); /* fill with 'C's */
94 dest[100-1] = L'\0'; /* null terminate */
95 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
96 wcsncpy(dest, data, wcslen(dest));
97 /* Ensure null termination */
98 dest[100-1] = L'\0';
99 printWLine(dest);
100 }
101}
102
103void CWE127_Buffer_Underread__wchar_t_declare_ncpy_02_good()
104{
105 goodG2B1();
106 goodG2B2();
107}
108
109#endif /* OMITGOOD */
110
111/* Below is the main(). It is only used when building this testcase on
112 * its own for testing or for building a binary to use in testing binary
113 * analysis tools. It is not used when compiling all the testcases as one
114 * application, which is how source code analysis tools are tested.
115 */
116
117#ifdef INCLUDEMAIN
118
119int main(int argc, char * argv[])
120{
121 /* seed randomness */
122 srand( (unsigned)time(NULL) );
123#ifndef OMITGOOD
124 printLine("Calling good()...");
125 CWE127_Buffer_Underread__wchar_t_declare_ncpy_02_good();
126 printLine("Finished good()");
127#endif /* OMITGOOD */
128#ifndef OMITBAD
129 printLine("Calling bad()...");
130 CWE127_Buffer_Underread__wchar_t_declare_ncpy_02_bad();
131 printLine("Finished bad()");
132#endif /* OMITBAD */
133 return 0;
134}
135
136#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7547: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int_memmove_32.cpp

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int_memmove_32.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.label.xml
4Template File: sources-sink-32.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: memmove
12 * BadSink : Copy int array to data using memmove
13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int_memmove_32
20{
21
22#ifndef OMITBAD
23
24void bad()
25{
26 int * data;
27 int * *dataPtr1 = &data;
28 int * *dataPtr2 = &data;
29 data = NULL;
30 {
31 int * data = *dataPtr1;
32 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
33 data = new int[50];
34 *dataPtr1 = data;
35 }
36 {
37 int * data = *dataPtr2;
38 {
39 int source[100] = {0}; /* fill with 0's */
40 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
41 memmove(data, source, 100*sizeof(int));❗VULN
42 printIntLine(data[0]);
43 delete [] data;
44 }
45 }
46}
47
48#endif /* OMITBAD */
49
50#ifndef OMITGOOD
51
52/* goodG2B() uses the GoodSource with the BadSink */
53static void goodG2B()
54{
55 int * data;
56 int * *dataPtr1 = &data;
57 int * *dataPtr2 = &data;
58 data = NULL;
59 {
60 int * data = *dataPtr1;
61 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
62 data = new int[100];
63 *dataPtr1 = data;
64 }
65 {
66 int * data = *dataPtr2;
67 {
68 int source[100] = {0}; /* fill with 0's */
69 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
70 memmove(data, source, 100*sizeof(int));
71 printIntLine(data[0]);
72 delete [] data;
73 }
74 }
75}
76
77void good()
78{
79 goodG2B();
80}
81
82#endif /* OMITGOOD */
83
84} /* close namespace */
85
86/* Below is the main(). It is only used when building this testcase on
87 its own for testing or for building a binary to use in testing binary
88 analysis tools. It is not used when compiling all the testcases as one
89 application, which is how source code analysis tools are tested. */
90#ifdef INCLUDEMAIN
91
92using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int_memmove_32; /* so that we can use good and bad easily */
93
94int main(int argc, char * argv[])
95{
96 /* seed randomness */
97 srand( (unsigned)time(NULL) );
98#ifndef OMITGOOD
99 printLine("Calling good()...");
100 good();
101 printLine("Finished good()");
102#endif /* OMITGOOD */
103#ifndef OMITBAD
104 printLine("Calling bad()...");
105 bad();
106 printLine("Finished bad()");
107#endif /* OMITBAD */
108 return 0;
109}
110
111#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6912: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_ncpy_16.cpp

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_ncpy_16.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193.label.xml
4Template File: sources-sink-16.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 * GoodSource: Allocate enough memory for a string and the NULL terminator
11 * Sink: ncpy
12 * BadSink : Copy string to data using strncpy()
13 * Flow Variant: 16 Control flow: while(1)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING "AAAAAAAAAA"
25
26namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_ncpy_16
27{
28
29#ifndef OMITBAD
30
31void bad()
32{
33 char * data;
34 data = NULL;
35 while(1)
36 {
37 /* FLAW: Did not leave space for a null terminator */
38 data = new char[10];
39 break;
40 }
41 {
42 char source[10+1] = SRC_STRING;
43 /* Copy length + 1 to include NUL terminator from source */
44 /* POTENTIAL FLAW: data may not have enough space to hold source */
45 strncpy(data, source, strlen(source) + 1);❗VULN
46 printLine(data);
47 delete [] data;
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */
56static void goodG2B()
57{
58 char * data;
59 data = NULL;
60 while(1)
61 {
62 /* FIX: Allocate space for a null terminator */
63 data = new char[10+1];
64 break;
65 }
66 {
67 char source[10+1] = SRC_STRING;
68 /* Copy length + 1 to include NUL terminator from source */
69 /* POTENTIAL FLAW: data may not have enough space to hold source */
70 strncpy(data, source, strlen(source) + 1);
71 printLine(data);
72 delete [] data;
73 }
74}
75
76void good()
77{
78 goodG2B();
79}
80
81#endif /* OMITGOOD */
82
83} /* close namespace */
84
85/* Below is the main(). It is only used when building this testcase on
86 its own for testing or for building a binary to use in testing binary
87 analysis tools. It is not used when compiling all the testcases as one
88 application, which is how source code analysis tools are tested. */
89
90#ifdef INCLUDEMAIN
91
92using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_ncpy_16; /* so that we can use good and bad easily */
93
94int main(int argc, char * argv[])
95{
96 /* seed randomness */
97 srand( (unsigned)time(NULL) );
98#ifndef OMITGOOD
99 printLine("Calling good()...");
100 good();
101 printLine("Finished good()");
102#endif /* OMITGOOD */
103#ifndef OMITBAD
104 printLine("Calling bad()...");
105 bad();
106 printLine("Finished bad()");
107#endif /* OMITBAD */
108 return 0;
109}
110
111#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3830: CWE127_Buffer_Underread__malloc_char_loop_14.c

Nodes: 19 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_char_loop_14.c
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-14.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__malloc_char_loop_14_bad()
24{
25 char * data;
26 data = NULL;
27 if(globalFive==5)
28 {
29 {
30 char * dataBuffer = (char *)malloc(100*sizeof(char));
31 if (dataBuffer == NULL) {exit(-1);}
32 memset(dataBuffer, 'A', 100-1);
33 dataBuffer[100-1] = '\0';
34 /* FLAW: Set data pointer to before the allocated memory buffer */
35 data = dataBuffer - 8;
36 }
37 }
38 {
39 size_t i;
40 char dest[100];
41 memset(dest, 'C', 100-1); /* fill with 'C's */
42 dest[100-1] = '\0'; /* null terminate */
43 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
44 for (i = 0; i < 100; i++)
45 {
46 dest[i] = data[i];❗VULN
47 }
48 /* Ensure null termination */
49 dest[100-1] = '\0';
50 printLine(dest);
51 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
52 * returned by malloc() so can't safely call free() on it */
53 }
54}
55
56#endif /* OMITBAD */
57
58#ifndef OMITGOOD
59
60/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */
61static void goodG2B1()
62{
63 char * data;
64 data = NULL;
65 if(globalFive!=5)
66 {
67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
68 printLine("Benign, fixed string");
69 }
70 else
71 {
72 {
73 char * dataBuffer = (char *)malloc(100*sizeof(char));
74 if (dataBuffer == NULL) {exit(-1);}
75 memset(dataBuffer, 'A', 100-1);
76 dataBuffer[100-1] = '\0';
77 /* FIX: Set data pointer to the allocated memory buffer */
78 data = dataBuffer;
79 }
80 }
81 {
82 size_t i;
83 char dest[100];
84 memset(dest, 'C', 100-1); /* fill with 'C's */
85 dest[100-1] = '\0'; /* null terminate */
86 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
87 for (i = 0; i < 100; i++)
88 {
89 dest[i] = data[i];
90 }
91 /* Ensure null termination */
92 dest[100-1] = '\0';
93 printLine(dest);
94 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
95 * returned by malloc() so can't safely call free() on it */
96 }
97}
98
99/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
100static void goodG2B2()
101{
102 char * data;
103 data = NULL;
104 if(globalFive==5)
105 {
106 {
107 char * dataBuffer = (char *)malloc(100*sizeof(char));
108 if (dataBuffer == NULL) {exit(-1);}
109 memset(dataBuffer, 'A', 100-1);
110 dataBuffer[100-1] = '\0';
111 /* FIX: Set data pointer to the allocated memory buffer */
112 data = dataBuffer;
113 }
114 }
115 {
116 size_t i;
117 char dest[100];
118 memset(dest, 'C', 100-1); /* fill with 'C's */
119 dest[100-1] = '\0'; /* null terminate */
120 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
121 for (i = 0; i < 100; i++)
122 {
123 dest[i] = data[i];
124 }
125 /* Ensure null termination */
126 dest[100-1] = '\0';
127 printLine(dest);
128 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
129 * returned by malloc() so can't safely call free() on it */
130 }
131}
132
133void CWE127_Buffer_Underread__malloc_char_loop_14_good()
134{
135 goodG2B1();
136 goodG2B2();
137}
138
139#endif /* OMITGOOD */
140
141/* Below is the main(). It is only used when building this testcase on
142 * its own for testing or for building a binary to use in testing binary
143 * analysis tools. It is not used when compiling all the testcases as one
144 * application, which is how source code analysis tools are tested.
145 */
146
147#ifdef INCLUDEMAIN
148
149int main(int argc, char * argv[])
150{
151 /* seed randomness */
152 srand( (unsigned)time(NULL) );
153#ifndef OMITGOOD
154 printLine("Calling good()...");
155 CWE127_Buffer_Underread__malloc_char_loop_14_good();
156 printLine("Finished good()");
157#endif /* OMITGOOD */
158#ifndef OMITBAD
159 printLine("Calling bad()...");
160 CWE127_Buffer_Underread__malloc_char_loop_14_bad();
161 printLine("Finished bad()");
162#endif /* OMITBAD */
163 return 0;
164}
165
166#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7948: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_ncpy_17.cpp

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_ncpy_17.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml
4Template File: sources-sink-17.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: ncpy
12 * BadSink : Copy data to string using wcsncpy
13 * Flow Variant: 17 Control flow: for loops
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_ncpy_17
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 int i;
29 wchar_t * data;
30 data = new wchar_t[100];
31 for(i = 0; i < 1; i++)
32 {
33 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
34 wmemset(data, L'A', 100-1); /* fill with L'A's */
35 data[100-1] = L'\0'; /* null terminate */
36 }
37 {
38 wchar_t dest[50] = L"";
39 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
40 wcsncpy(dest, data, wcslen(data));❗VULN
41 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
42 printWLine(data);
43 delete [] data;
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B() - use goodsource in the for statement */
52static void goodG2B()
53{
54 int h;
55 wchar_t * data;
56 data = new wchar_t[100];
57 for(h = 0; h < 1; h++)
58 {
59 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
60 wmemset(data, L'A', 50-1); /* fill with L'A's */
61 data[50-1] = L'\0'; /* null terminate */
62 }
63 {
64 wchar_t dest[50] = L"";
65 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
66 wcsncpy(dest, data, wcslen(data));
67 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
68 printWLine(data);
69 delete [] data;
70 }
71}
72
73void good()
74{
75 goodG2B();
76}
77
78#endif /* OMITGOOD */
79
80} /* close namespace */
81
82/* Below is the main(). It is only used when building this testcase on
83 its own for testing or for building a binary to use in testing binary
84 analysis tools. It is not used when compiling all the testcases as one
85 application, which is how source code analysis tools are tested. */
86
87#ifdef INCLUDEMAIN
88
89using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_ncpy_17; /* so that we can use good and bad easily */
90
91int main(int argc, char * argv[])
92{
93 /* seed randomness */
94 srand( (unsigned)time(NULL) );
95#ifndef OMITGOOD
96 printLine("Calling good()...");
97 good();
98 printLine("Finished good()");
99#endif /* OMITGOOD */
100#ifndef OMITBAD
101 printLine("Calling bad()...");
102 bad();
103 printLine("Finished bad()");
104#endif /* OMITBAD */
105 return 0;
106}
107
108#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9617: CWE121_Stack_Based_Buffer_Overflow__CWE129_fgets_17.c

Nodes: 22 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE129_fgets_17.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE129.label.xml
4Template File: sources-sinks-17.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: fgets Read data from the console using fgets()
10 * GoodSource: Larger than zero but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the upper bound
14 * Flow Variant: 17 Control flow: for loops
15 *
16 * */
17
18#include "std_testcase.h"
19
20#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)
21
22#ifndef OMITBAD
23
24void CWE121_Stack_Based_Buffer_Overflow__CWE129_fgets_17_bad()
25{
26 int i,j;
27 int data;
28 /* Initialize data */
29 data = -1;
30 for(i = 0; i < 1; i++)
31 {
32 {
33 char inputBuffer[CHAR_ARRAY_SIZE] = "";
34 /* POTENTIAL FLAW: Read data from the console using fgets() */
35 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)
36 {
37 /* Convert to int */
38 data = atoi(inputBuffer);
39 }
40 else
41 {
42 printLine("fgets() failed.");
43 }
44 }
45 }
46 for(j = 0; j < 1; j++)
47 {
48 {
49 int i;
50 int buffer[10] = { 0 };
51 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
52 * This code does check to see if the array index is negative */
53 if (data >= 0)
54 {
55 buffer[data] = 1;❗VULN
56 /* Print the array values */
57 for(i = 0; i < 10; i++)
58 {
59 printIntLine(buffer[i]);
60 }
61 }
62 else
63 {
64 printLine("ERROR: Array index is negative.");
65 }
66 }
67 }
68}
69
70#endif /* OMITBAD */
71
72#ifndef OMITGOOD
73
74/* goodB2G() - use badsource and goodsink in the for statements */
75static void goodB2G()
76{
77 int i,k;
78 int data;
79 /* Initialize data */
80 data = -1;
81 for(i = 0; i < 1; i++)
82 {
83 {
84 char inputBuffer[CHAR_ARRAY_SIZE] = "";
85 /* POTENTIAL FLAW: Read data from the console using fgets() */
86 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)
87 {
88 /* Convert to int */
89 data = atoi(inputBuffer);
90 }
91 else
92 {
93 printLine("fgets() failed.");
94 }
95 }
96 }
97 for(k = 0; k < 1; k++)
98 {
99 {
100 int i;
101 int buffer[10] = { 0 };
102 /* FIX: Properly validate the array index and prevent a buffer overflow */
103 if (data >= 0 && data < (10))
104 {
105 buffer[data] = 1;
106 /* Print the array values */
107 for(i = 0; i < 10; i++)
108 {
109 printIntLine(buffer[i]);
110 }
111 }
112 else
113 {
114 printLine("ERROR: Array index is out-of-bounds");
115 }
116 }
117 }
118}
119
120/* goodG2B() - use goodsource and badsink in the for statements */
121static void goodG2B()
122{
123 int h,j;
124 int data;
125 /* Initialize data */
126 data = -1;
127 for(h = 0; h < 1; h++)
128 {
129 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
130 * access an index of the array in the sink that is out-of-bounds */
131 data = 7;
132 }
133 for(j = 0; j < 1; j++)
134 {
135 {
136 int i;
137 int buffer[10] = { 0 };
138 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
139 * This code does check to see if the array index is negative */
140 if (data >= 0)
141 {
142 buffer[data] = 1;
143 /* Print the array values */
144 for(i = 0; i < 10; i++)
145 {
146 printIntLine(buffer[i]);
147 }
148 }
149 else
150 {
151 printLine("ERROR: Array index is negative.");
152 }
153 }
154 }
155}
156
157void CWE121_Stack_Based_Buffer_Overflow__CWE129_fgets_17_good()
158{
159 goodB2G();
160 goodG2B();
161}
162
163#endif /* OMITGOOD */
164
165/* Below is the main(). It is only used when building this testcase on
166 its own for testing or for building a binary to use in testing binary
167 analysis tools. It is not used when compiling all the testcases as one
168 application, which is how source code analysis tools are tested. */
169
170#ifdef INCLUDEMAIN
171
172int main(int argc, char * argv[])
173{
174 /* seed randomness */
175 srand( (unsigned)time(NULL) );
176#ifndef OMITGOOD
177 printLine("Calling good()...");
178 CWE121_Stack_Based_Buffer_Overflow__CWE129_fgets_17_good();
179 printLine("Finished good()");
180#endif /* OMITGOOD */
181#ifndef OMITBAD
182 printLine("Calling bad()...");
183 CWE121_Stack_Based_Buffer_Overflow__CWE129_fgets_17_bad();
184 printLine("Finished bad()");
185#endif /* OMITBAD */
186 return 0;
187}
188
189#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9408: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_01.cpp

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_01.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml
4Template File: sources-sink-01.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: ncat
12 * BadSink : Copy string to data using wcsncat
13 * Flow Variant: 01 Baseline
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_01
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 wchar_t * data;
29 data = NULL;
30 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
31 data = new wchar_t[50];
32 data[0] = L'\0'; /* null terminate */
33 {
34 wchar_t source[100];
35 wmemset(source, L'C', 100-1); /* fill with L'C's */
36 source[100-1] = L'\0'; /* null terminate */
37 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
38 wcsncat(data, source, 100);❗VULN
39 printWLine(data);
40 delete [] data;
41 }
42}
43
44#endif /* OMITBAD */
45
46#ifndef OMITGOOD
47
48/* goodG2B uses the GoodSource with the BadSink */
49static void goodG2B()
50{
51 wchar_t * data;
52 data = NULL;
53 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
54 data = new wchar_t[100];
55 data[0] = L'\0'; /* null terminate */
56 {
57 wchar_t source[100];
58 wmemset(source, L'C', 100-1); /* fill with L'C's */
59 source[100-1] = L'\0'; /* null terminate */
60 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
61 wcsncat(data, source, 100);
62 printWLine(data);
63 delete [] data;
64 }
65}
66
67void good()
68{
69 goodG2B();
70}
71
72#endif /* OMITGOOD */
73
74} /* close namespace */
75
76/* Below is the main(). It is only used when building this testcase on
77 its own for testing or for building a binary to use in testing binary
78 analysis tools. It is not used when compiling all the testcases as one
79 application, which is how source code analysis tools are tested. */
80
81#ifdef INCLUDEMAIN
82
83using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_01; /* so that we can use good and bad easily */
84
85int main(int argc, char * argv[])
86{
87 /* seed randomness */
88 srand( (unsigned)time(NULL) );
89#ifndef OMITGOOD
90 printLine("Calling good()...");
91 good();
92 printLine("Finished good()");
93#endif /* OMITGOOD */
94#ifndef OMITBAD
95 printLine("Calling bad()...");
96 bad();
97 printLine("Finished bad()");
98#endif /* OMITBAD */
99 return 0;
100}
101
102#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4584: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncat_42.c

Nodes: 8 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncat_42.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml
4Template File: sources-sink-42.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: ncat
12 * BadSink : Copy data to string using strncat
13 * Flow Variant: 42 Data flow: data returned from one function to another in the same source file
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23static char * badSource(char * data)
24{
25 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
26 memset(data, 'A', 100-1); /* fill with 'A's */
27 data[100-1] = '\0'; /* null terminate */
28 return data;
29}
30
31void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncat_42_bad()
32{
33 char * data;
34 char dataBuffer[100];
35 data = dataBuffer;
36 data = badSource(data);
37 {
38 char dest[50] = "";
39 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/
40 strncat(dest, data, strlen(data));❗VULN
41 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
42 printLine(data);
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50static char * goodG2BSource(char * data)
51{
52 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
53 memset(data, 'A', 50-1); /* fill with 'A's */
54 data[50-1] = '\0'; /* null terminate */
55 return data;
56}
57
58/* goodG2B uses the GoodSource with the BadSink */
59static void goodG2B()
60{
61 char * data;
62 char dataBuffer[100];
63 data = dataBuffer;
64 data = goodG2BSource(data);
65 {
66 char dest[50] = "";
67 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/
68 strncat(dest, data, strlen(data));
69 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
70 printLine(data);
71 }
72}
73
74void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncat_42_good()
75{
76 goodG2B();
77}
78
79#endif /* OMITGOOD */
80
81/* Below is the main(). It is only used when building this testcase on
82 * its own for testing or for building a binary to use in testing binary
83 * analysis tools. It is not used when compiling all the testcases as one
84 * application, which is how source code analysis tools are tested.
85 */
86
87#ifdef INCLUDEMAIN
88
89int main(int argc, char * argv[])
90{
91 /* seed randomness */
92 srand( (unsigned)time(NULL) );
93#ifndef OMITGOOD
94 printLine("Calling good()...");
95 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncat_42_good();
96 printLine("Finished good()");
97#endif /* OMITGOOD */
98#ifndef OMITBAD
99 printLine("Calling bad()...");
100 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncat_42_bad();
101 printLine("Finished bad()");
102#endif /* OMITBAD */
103 return 0;
104}
105
106#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8578: CWE122_Heap_Based_Buffer_Overflow__c_src_char_cpy_34.c

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_src_char_cpy_34.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_src.label.xml
4Template File: sources-sink-34.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sinks: cpy
12 * BadSink : Copy data to string using strcpy
13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21typedef union
22{
23 char * unionFirst;
24 char * unionSecond;
25} CWE122_Heap_Based_Buffer_Overflow__c_src_char_cpy_34_unionType;
26
27#ifndef OMITBAD
28
29void CWE122_Heap_Based_Buffer_Overflow__c_src_char_cpy_34_bad()
30{
31 char * data;
32 CWE122_Heap_Based_Buffer_Overflow__c_src_char_cpy_34_unionType myUnion;
33 data = (char *)malloc(100*sizeof(char));
34 if (data == NULL) {exit(-1);}
35 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
36 memset(data, 'A', 100-1); /* fill with 'A's */
37 data[100-1] = '\0'; /* null terminate */
38 myUnion.unionFirst = data;
39 {
40 char * data = myUnion.unionSecond;
41 {
42 char dest[50] = "";
43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
44 strcpy(dest, data);❗VULN
45 printLine(data);
46 free(data);
47 }
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B() uses the GoodSource with the BadSink */
56static void goodG2B()
57{
58 char * data;
59 CWE122_Heap_Based_Buffer_Overflow__c_src_char_cpy_34_unionType myUnion;
60 data = (char *)malloc(100*sizeof(char));
61 if (data == NULL) {exit(-1);}
62 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
63 memset(data, 'A', 50-1); /* fill with 'A's */
64 data[50-1] = '\0'; /* null terminate */
65 myUnion.unionFirst = data;
66 {
67 char * data = myUnion.unionSecond;
68 {
69 char dest[50] = "";
70 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
71 strcpy(dest, data);
72 printLine(data);
73 free(data);
74 }
75 }
76}
77
78void CWE122_Heap_Based_Buffer_Overflow__c_src_char_cpy_34_good()
79{
80 goodG2B();
81}
82
83#endif /* OMITGOOD */
84
85/* Below is the main(). It is only used when building this testcase on
86 * its own for testing or for building a binary to use in testing binary
87 * analysis tools. It is not used when compiling all the testcases as one
88 * application, which is how source code analysis tools are tested.
89 */
90#ifdef INCLUDEMAIN
91
92int main(int argc, char * argv[])
93{
94 /* seed randomness */
95 srand( (unsigned)time(NULL) );
96#ifndef OMITGOOD
97 printLine("Calling good()...");
98 CWE122_Heap_Based_Buffer_Overflow__c_src_char_cpy_34_good();
99 printLine("Finished good()");
100#endif /* OMITGOOD */
101#ifndef OMITBAD
102 printLine("Calling bad()...");
103 CWE122_Heap_Based_Buffer_Overflow__c_src_char_cpy_34_bad();
104 printLine("Finished bad()");
105#endif /* OMITBAD */
106 return 0;
107}
108
109#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9395: CWE124_Buffer_Underwrite__malloc_wchar_t_cpy_02.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__malloc_wchar_t_cpy_02.c
3Label Definition File: CWE124_Buffer_Underwrite__malloc.label.xml
4Template File: sources-sink-02.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: cpy
12 * BadSink : Copy string to data using wcscpy
13 * Flow Variant: 02 Control flow: if(1) and if(0)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE124_Buffer_Underwrite__malloc_wchar_t_cpy_02_bad()
24{
25 wchar_t * data;
26 data = NULL;
27 if(1)
28 {
29 {
30 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
31 if (dataBuffer == NULL) {exit(-1);}
32 wmemset(dataBuffer, L'A', 100-1);
33 dataBuffer[100-1] = L'\0';
34 /* FLAW: Set data pointer to before the allocated memory buffer */
35 data = dataBuffer - 8;
36 }
37 }
38 {
39 wchar_t source[100];
40 wmemset(source, L'C', 100-1); /* fill with 'C's */
41 source[100-1] = L'\0'; /* null terminate */
42 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
43 wcscpy(data, source);❗VULN
44 printWLine(data);
45 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
46 * returned by malloc() so can't safely call free() on it */
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */
55static void goodG2B1()
56{
57 wchar_t * data;
58 data = NULL;
59 if(0)
60 {
61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
62 printLine("Benign, fixed string");
63 }
64 else
65 {
66 {
67 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
68 if (dataBuffer == NULL) {exit(-1);}
69 wmemset(dataBuffer, L'A', 100-1);
70 dataBuffer[100-1] = L'\0';
71 /* FIX: Set data pointer to the allocated memory buffer */
72 data = dataBuffer;
73 }
74 }
75 {
76 wchar_t source[100];
77 wmemset(source, L'C', 100-1); /* fill with 'C's */
78 source[100-1] = L'\0'; /* null terminate */
79 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
80 wcscpy(data, source);
81 printWLine(data);
82 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
83 * returned by malloc() so can't safely call free() on it */
84 }
85}
86
87/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
88static void goodG2B2()
89{
90 wchar_t * data;
91 data = NULL;
92 if(1)
93 {
94 {
95 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
96 if (dataBuffer == NULL) {exit(-1);}
97 wmemset(dataBuffer, L'A', 100-1);
98 dataBuffer[100-1] = L'\0';
99 /* FIX: Set data pointer to the allocated memory buffer */
100 data = dataBuffer;
101 }
102 }
103 {
104 wchar_t source[100];
105 wmemset(source, L'C', 100-1); /* fill with 'C's */
106 source[100-1] = L'\0'; /* null terminate */
107 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
108 wcscpy(data, source);
109 printWLine(data);
110 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
111 * returned by malloc() so can't safely call free() on it */
112 }
113}
114
115void CWE124_Buffer_Underwrite__malloc_wchar_t_cpy_02_good()
116{
117 goodG2B1();
118 goodG2B2();
119}
120
121#endif /* OMITGOOD */
122
123/* Below is the main(). It is only used when building this testcase on
124 * its own for testing or for building a binary to use in testing binary
125 * analysis tools. It is not used when compiling all the testcases as one
126 * application, which is how source code analysis tools are tested.
127 */
128
129#ifdef INCLUDEMAIN
130
131int main(int argc, char * argv[])
132{
133 /* seed randomness */
134 srand( (unsigned)time(NULL) );
135#ifndef OMITGOOD
136 printLine("Calling good()...");
137 CWE124_Buffer_Underwrite__malloc_wchar_t_cpy_02_good();
138 printLine("Finished good()");
139#endif /* OMITGOOD */
140#ifndef OMITBAD
141 printLine("Calling bad()...");
142 CWE124_Buffer_Underwrite__malloc_wchar_t_cpy_02_bad();
143 printLine("Finished bad()");
144#endif /* OMITBAD */
145 return 0;
146}
147
148#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2697: CWE124_Buffer_Underwrite__malloc_wchar_t_loop_21.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__malloc_wchar_t_loop_21.c
3Label Definition File: CWE124_Buffer_Underwrite__malloc.label.xml
4Template File: sources-sink-21.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy string to data using a loop
13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23/* The static variable below is used to drive control flow in the source function */
24static int badStatic = 0;
25
26static wchar_t * badSource(wchar_t * data)
27{
28 if(badStatic)
29 {
30 {
31 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
32 if (dataBuffer == NULL) {exit(-1);}
33 wmemset(dataBuffer, L'A', 100-1);
34 dataBuffer[100-1] = L'\0';
35 /* FLAW: Set data pointer to before the allocated memory buffer */
36 data = dataBuffer - 8;
37 }
38 }
39 return data;
40}
41
42void CWE124_Buffer_Underwrite__malloc_wchar_t_loop_21_bad()
43{
44 wchar_t * data;
45 data = NULL;
46 badStatic = 1; /* true */
47 data = badSource(data);
48 {
49 size_t i;
50 wchar_t source[100];
51 wmemset(source, L'C', 100-1); /* fill with 'C's */
52 source[100-1] = L'\0'; /* null terminate */
53 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
54 for (i = 0; i < 100; i++)
55 {
56 data[i] = source[i];❗VULN
57 }
58 /* Ensure the destination buffer is null terminated */
59 data[100-1] = L'\0';
60 printWLine(data);
61 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
62 * returned by malloc() so can't safely call free() on it */
63 }
64}
65
66#endif /* OMITBAD */
67
68#ifndef OMITGOOD
69
70/* The static variables below are used to drive control flow in the source functions. */
71static int goodG2B1Static = 0;
72static int goodG2B2Static = 0;
73
74/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */
75static wchar_t * goodG2B1Source(wchar_t * data)
76{
77 if(goodG2B1Static)
78 {
79 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
80 printLine("Benign, fixed string");
81 }
82 else
83 {
84 {
85 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
86 if (dataBuffer == NULL) {exit(-1);}
87 wmemset(dataBuffer, L'A', 100-1);
88 dataBuffer[100-1] = L'\0';
89 /* FIX: Set data pointer to the allocated memory buffer */
90 data = dataBuffer;
91 }
92 }
93 return data;
94}
95
96static void goodG2B1()
97{
98 wchar_t * data;
99 data = NULL;
100 goodG2B1Static = 0; /* false */
101 data = goodG2B1Source(data);
102 {
103 size_t i;
104 wchar_t source[100];
105 wmemset(source, L'C', 100-1); /* fill with 'C's */
106 source[100-1] = L'\0'; /* null terminate */
107 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
108 for (i = 0; i < 100; i++)
109 {
110 data[i] = source[i];
111 }
112 /* Ensure the destination buffer is null terminated */
113 data[100-1] = L'\0';
114 printWLine(data);
115 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
116 * returned by malloc() so can't safely call free() on it */
117 }
118}
119
120/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */
121static wchar_t * goodG2B2Source(wchar_t * data)
122{
123 if(goodG2B2Static)
124 {
125 {
126 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
127 if (dataBuffer == NULL) {exit(-1);}
128 wmemset(dataBuffer, L'A', 100-1);
129 dataBuffer[100-1] = L'\0';
130 /* FIX: Set data pointer to the allocated memory buffer */
131 data = dataBuffer;
132 }
133 }
134 return data;
135}
136
137static void goodG2B2()
138{
139 wchar_t * data;
140 data = NULL;
141 goodG2B2Static = 1; /* true */
142 data = goodG2B2Source(data);
143 {
144 size_t i;
145 wchar_t source[100];
146 wmemset(source, L'C', 100-1); /* fill with 'C's */
147 source[100-1] = L'\0'; /* null terminate */
148 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
149 for (i = 0; i < 100; i++)
150 {
151 data[i] = source[i];
152 }
153 /* Ensure the destination buffer is null terminated */
154 data[100-1] = L'\0';
155 printWLine(data);
156 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
157 * returned by malloc() so can't safely call free() on it */
158 }
159}
160
161void CWE124_Buffer_Underwrite__malloc_wchar_t_loop_21_good()
162{
163 goodG2B1();
164 goodG2B2();
165}
166
167#endif /* OMITGOOD */
168
169/* Below is the main(). It is only used when building this testcase on
170 * its own for testing or for building a binary to use in testing binary
171 * analysis tools. It is not used when compiling all the testcases as one
172 * application, which is how source code analysis tools are tested.
173 */
174
175#ifdef INCLUDEMAIN
176
177int main(int argc, char * argv[])
178{
179 /* seed randomness */
180 srand( (unsigned)time(NULL) );
181#ifndef OMITGOOD
182 printLine("Calling good()...");
183 CWE124_Buffer_Underwrite__malloc_wchar_t_loop_21_good();
184 printLine("Finished good()");
185#endif /* OMITGOOD */
186#ifndef OMITBAD
187 printLine("Calling bad()...");
188 CWE124_Buffer_Underwrite__malloc_wchar_t_loop_21_bad();
189 printLine("Finished bad()");
190#endif /* OMITBAD */
191 return 0;
192}
193
194#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7328: CWE121_Stack_Based_Buffer_Overflow__CWE131_memmove_14.c

Nodes: 7 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE131_memmove_14.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE131.label.xml
4Template File: sources-sink-14.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Allocate memory without using sizeof(int)
10 * GoodSource: Allocate memory using sizeof(int)
11 * Sink: memmove
12 * BadSink : Copy array to data using memmove()
13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE121_Stack_Based_Buffer_Overflow__CWE131_memmove_14_bad()
22{
23 int * data;
24 data = NULL;
25 if(globalFive==5)
26 {
27 /* FLAW: Allocate memory without using sizeof(int) */
28 data = (int *)ALLOCA(10);
29 }
30 {
31 int source[10] = {0};
32 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
33 memmove(data, source, 10*sizeof(int));❗VULN
34 printIntLine(data[0]);
35 }
36}
37
38#endif /* OMITBAD */
39
40#ifndef OMITGOOD
41
42/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */
43static void goodG2B1()
44{
45 int * data;
46 data = NULL;
47 if(globalFive!=5)
48 {
49 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
50 printLine("Benign, fixed string");
51 }
52 else
53 {
54 /* FIX: Allocate memory using sizeof(int) */
55 data = (int *)ALLOCA(10*sizeof(int));
56 }
57 {
58 int source[10] = {0};
59 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
60 memmove(data, source, 10*sizeof(int));
61 printIntLine(data[0]);
62 }
63}
64
65/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
66static void goodG2B2()
67{
68 int * data;
69 data = NULL;
70 if(globalFive==5)
71 {
72 /* FIX: Allocate memory using sizeof(int) */
73 data = (int *)ALLOCA(10*sizeof(int));
74 }
75 {
76 int source[10] = {0};
77 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
78 memmove(data, source, 10*sizeof(int));
79 printIntLine(data[0]);
80 }
81}
82
83void CWE121_Stack_Based_Buffer_Overflow__CWE131_memmove_14_good()
84{
85 goodG2B1();
86 goodG2B2();
87}
88
89#endif /* OMITGOOD */
90
91/* Below is the main(). It is only used when building this testcase on
92 * its own for testing or for building a binary to use in testing binary
93 * analysis tools. It is not used when compiling all the testcases as one
94 * application, which is how source code analysis tools are tested.
95 */
96
97#ifdef INCLUDEMAIN
98
99int main(int argc, char * argv[])
100{
101 /* seed randomness */
102 srand( (unsigned)time(NULL) );
103#ifndef OMITGOOD
104 printLine("Calling good()...");
105 CWE121_Stack_Based_Buffer_Overflow__CWE131_memmove_14_good();
106 printLine("Finished good()");
107#endif /* OMITGOOD */
108#ifndef OMITBAD
109 printLine("Calling bad()...");
110 CWE121_Stack_Based_Buffer_Overflow__CWE131_memmove_14_bad();
111 printLine("Finished bad()");
112#endif /* OMITBAD */
113 return 0;
114}
115
116#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2896: CWE127_Buffer_Underread__new_wchar_t_memmove_18.cpp

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__new_wchar_t_memmove_18.cpp
3Label Definition File: CWE127_Buffer_Underread__new.label.xml
4Template File: sources-sink-18.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 18 Control flow: goto statements
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE127_Buffer_Underread__new_wchar_t_memmove_18
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 wchar_t * data;
29 data = NULL;
30 goto source;
31source:
32 {
33 wchar_t * dataBuffer = new wchar_t[100];
34 wmemset(dataBuffer, L'A', 100-1);
35 dataBuffer[100-1] = L'\0';
36 /* FLAW: Set data pointer to before the allocated memory buffer */
37 data = dataBuffer - 8;
38 }
39 {
40 wchar_t dest[100];
41 wmemset(dest, L'C', 100-1); /* fill with 'C's */
42 dest[100-1] = L'\0'; /* null terminate */
43 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
44 memmove(dest, data, 100*sizeof(wchar_t));❗VULN
45 /* Ensure null termination */
46 dest[100-1] = L'\0';
47 printWLine(dest);
48 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
49 * returned by new [] so can't safely call delete [] on it */
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
58static void goodG2B()
59{
60 wchar_t * data;
61 data = NULL;
62 goto source;
63source:
64 {
65 wchar_t * dataBuffer = new wchar_t[100];
66 wmemset(dataBuffer, L'A', 100-1);
67 dataBuffer[100-1] = L'\0';
68 /* FIX: Set data pointer to the allocated memory buffer */
69 data = dataBuffer;
70 }
71 {
72 wchar_t dest[100];
73 wmemset(dest, L'C', 100-1); /* fill with 'C's */
74 dest[100-1] = L'\0'; /* null terminate */
75 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
76 memmove(dest, data, 100*sizeof(wchar_t));
77 /* Ensure null termination */
78 dest[100-1] = L'\0';
79 printWLine(dest);
80 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
81 * returned by new [] so can't safely call delete [] on it */
82 }
83}
84
85void good()
86{
87 goodG2B();
88}
89
90#endif /* OMITGOOD */
91
92} /* close namespace */
93
94/* Below is the main(). It is only used when building this testcase on
95 its own for testing or for building a binary to use in testing binary
96 analysis tools. It is not used when compiling all the testcases as one
97 application, which is how source code analysis tools are tested. */
98
99#ifdef INCLUDEMAIN
100
101using namespace CWE127_Buffer_Underread__new_wchar_t_memmove_18; /* so that we can use good and bad easily */
102
103int main(int argc, char * argv[])
104{
105 /* seed randomness */
106 srand( (unsigned)time(NULL) );
107#ifndef OMITGOOD
108 printLine("Calling good()...");
109 good();
110 printLine("Finished good()");
111#endif /* OMITGOOD */
112#ifndef OMITBAD
113 printLine("Calling bad()...");
114 bad();
115 printLine("Finished bad()");
116#endif /* OMITBAD */
117 return 0;
118}
119
120#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7010: CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_05.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_05.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE131.label.xml
4Template File: sources-sink-05.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory without using sizeof(int)
10 * GoodSource: Allocate memory using sizeof(int)
11 * Sink: memmove
12 * BadSink : Copy array to data using memmove()
13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19/* The two variables below are not defined as "const", but are never
20 * assigned any other value, so a tool should be able to identify that
21 * reads of these will always return their initialized values.
22 */
23static int staticTrue = 1; /* true */
24static int staticFalse = 0; /* false */
25
26#ifndef OMITBAD
27
28void CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_05_bad()
29{
30 int * data;
31 data = NULL;
32 if(staticTrue)
33 {
34 /* FLAW: Allocate memory without using sizeof(int) */
35 data = (int *)malloc(10);
36 if (data == NULL) {exit(-1);}
37 }
38 {
39 int source[10] = {0};
40 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
41 memmove(data, source, 10*sizeof(int));❗VULN
42 printIntLine(data[0]);
43 free(data);
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */
52static void goodG2B1()
53{
54 int * data;
55 data = NULL;
56 if(staticFalse)
57 {
58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
59 printLine("Benign, fixed string");
60 }
61 else
62 {
63 /* FIX: Allocate memory using sizeof(int) */
64 data = (int *)malloc(10*sizeof(int));
65 if (data == NULL) {exit(-1);}
66 }
67 {
68 int source[10] = {0};
69 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
70 memmove(data, source, 10*sizeof(int));
71 printIntLine(data[0]);
72 free(data);
73 }
74}
75
76/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
77static void goodG2B2()
78{
79 int * data;
80 data = NULL;
81 if(staticTrue)
82 {
83 /* FIX: Allocate memory using sizeof(int) */
84 data = (int *)malloc(10*sizeof(int));
85 if (data == NULL) {exit(-1);}
86 }
87 {
88 int source[10] = {0};
89 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
90 memmove(data, source, 10*sizeof(int));
91 printIntLine(data[0]);
92 free(data);
93 }
94}
95
96void CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_05_good()
97{
98 goodG2B1();
99 goodG2B2();
100}
101
102#endif /* OMITGOOD */
103
104/* Below is the main(). It is only used when building this testcase on
105 * its own for testing or for building a binary to use in testing binary
106 * analysis tools. It is not used when compiling all the testcases as one
107 * application, which is how source code analysis tools are tested.
108 */
109
110#ifdef INCLUDEMAIN
111
112int main(int argc, char * argv[])
113{
114 /* seed randomness */
115 srand( (unsigned)time(NULL) );
116#ifndef OMITGOOD
117 printLine("Calling good()...");
118 CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_05_good();
119 printLine("Finished good()");
120#endif /* OMITGOOD */
121#ifndef OMITBAD
122 printLine("Calling bad()...");
123 CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_05_bad();
124 printLine("Finished bad()");
125#endif /* OMITBAD */
126 return 0;
127}
128
129#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5325: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_loop_02.c

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_loop_02.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml
4Template File: sources-sink-02.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 * GoodSource: Allocate enough memory for a string and the NULL terminator
11 * Sink: loop
12 * BadSink : Copy array to data using a loop
13 * Flow Variant: 02 Control flow: if(1) and if(0)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING "AAAAAAAAAA"
25
26#ifndef OMITBAD
27
28void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_loop_02_bad()
29{
30 char * data;
31 data = NULL;
32 if(1)
33 {
34 /* FLAW: Did not leave space for a null terminator */
35 data = (char *)malloc(10*sizeof(char));
36 if (data == NULL) {exit(-1);}
37 }
38 {
39 char source[10+1] = SRC_STRING;
40 size_t i, sourceLen;
41 sourceLen = strlen(source);
42 /* Copy length + 1 to include NUL terminator from source */
43 /* POTENTIAL FLAW: data may not have enough space to hold source */
44 for (i = 0; i < sourceLen + 1; i++)
45 {
46 data[i] = source[i];❗VULN
47 }
48 printLine(data);
49 free(data);
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */
58static void goodG2B1()
59{
60 char * data;
61 data = NULL;
62 if(0)
63 {
64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
65 printLine("Benign, fixed string");
66 }
67 else
68 {
69 /* FIX: Allocate space for a null terminator */
70 data = (char *)malloc((10+1)*sizeof(char));
71 if (data == NULL) {exit(-1);}
72 }
73 {
74 char source[10+1] = SRC_STRING;
75 size_t i, sourceLen;
76 sourceLen = strlen(source);
77 /* Copy length + 1 to include NUL terminator from source */
78 /* POTENTIAL FLAW: data may not have enough space to hold source */
79 for (i = 0; i < sourceLen + 1; i++)
80 {
81 data[i] = source[i];
82 }
83 printLine(data);
84 free(data);
85 }
86}
87
88/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
89static void goodG2B2()
90{
91 char * data;
92 data = NULL;
93 if(1)
94 {
95 /* FIX: Allocate space for a null terminator */
96 data = (char *)malloc((10+1)*sizeof(char));
97 if (data == NULL) {exit(-1);}
98 }
99 {
100 char source[10+1] = SRC_STRING;
101 size_t i, sourceLen;
102 sourceLen = strlen(source);
103 /* Copy length + 1 to include NUL terminator from source */
104 /* POTENTIAL FLAW: data may not have enough space to hold source */
105 for (i = 0; i < sourceLen + 1; i++)
106 {
107 data[i] = source[i];
108 }
109 printLine(data);
110 free(data);
111 }
112}
113
114void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_loop_02_good()
115{
116 goodG2B1();
117 goodG2B2();
118}
119
120#endif /* OMITGOOD */
121
122/* Below is the main(). It is only used when building this testcase on
123 * its own for testing or for building a binary to use in testing binary
124 * analysis tools. It is not used when compiling all the testcases as one
125 * application, which is how source code analysis tools are tested.
126 */
127
128#ifdef INCLUDEMAIN
129
130int main(int argc, char * argv[])
131{
132 /* seed randomness */
133 srand( (unsigned)time(NULL) );
134#ifndef OMITGOOD
135 printLine("Calling good()...");
136 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_loop_02_good();
137 printLine("Finished good()");
138#endif /* OMITGOOD */
139#ifndef OMITBAD
140 printLine("Calling bad()...");
141 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_loop_02_bad();
142 printLine("Finished bad()");
143#endif /* OMITBAD */
144 return 0;
145}
146
147#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4958: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_17.c

Nodes: 19 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_17.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-17.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: loop
12 * BadSink : Copy string to data using a loop
13 * Flow Variant: 17 Control flow: for loops
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_17_bad()
24{
25 int i;
26 char * data;
27 char dataBadBuffer[50];
28 char dataGoodBuffer[100];
29 for(i = 0; i < 1; i++)
30 {
31 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
32 * buffer in various memory copying functions using a "large" source buffer. */
33 data = dataBadBuffer;
34 data[0] = '\0'; /* null terminate */
35 }
36 {
37 size_t i;
38 char source[100];
39 memset(source, 'C', 100-1); /* fill with 'C's */
40 source[100-1] = '\0'; /* null terminate */
41 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
42 for (i = 0; i < 100; i++)
43 {
44 data[i] = source[i];❗VULN
45 }
46 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
47 printLine(data);
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */
56static void goodG2B()
57{
58 int h;
59 char * data;
60 char dataBadBuffer[50];
61 char dataGoodBuffer[100];
62 for(h = 0; h < 1; h++)
63 {
64 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
65 data = dataGoodBuffer;
66 data[0] = '\0'; /* null terminate */
67 }
68 {
69 size_t i;
70 char source[100];
71 memset(source, 'C', 100-1); /* fill with 'C's */
72 source[100-1] = '\0'; /* null terminate */
73 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
74 for (i = 0; i < 100; i++)
75 {
76 data[i] = source[i];
77 }
78 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
79 printLine(data);
80 }
81}
82
83void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_17_good()
84{
85 goodG2B();
86}
87
88#endif /* OMITGOOD */
89
90/* Below is the main(). It is only used when building this testcase on
91 * its own for testing or for building a binary to use in testing binary
92 * analysis tools. It is not used when compiling all the testcases as one
93 * application, which is how source code analysis tools are tested.
94 */
95
96#ifdef INCLUDEMAIN
97
98int main(int argc, char * argv[])
99{
100 /* seed randomness */
101 srand( (unsigned)time(NULL) );
102#ifndef OMITGOOD
103 printLine("Calling good()...");
104 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_17_good();
105 printLine("Finished good()");
106#endif /* OMITGOOD */
107#ifndef OMITBAD
108 printLine("Calling bad()...");
109 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_17_bad();
110 printLine("Finished bad()");
111#endif /* OMITBAD */
112 return 0;
113}
114
115#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 577: CWE123_Write_What_Where_Condition__listen_socket_34.c

Nodes: 46 | Sink Nodes: 2 predicted, 2 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* Error: Could not load file CWE123_Write_What_Where_Condition__listen_socket_34.c: File CWE123_Write_What_Where_Condition__listen_socket_34.c not found in any subfolder of /home/nimana11/Thesis/codes/VulExplainerExp-84ED_2/datasets/buffer overflow/function/testcases/CWE123_Write_What_Where_Condition */

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4975: CWE127_Buffer_Underread__char_alloca_cpy_17.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__char_alloca_cpy_17.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-17.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: cpy
12 * BadSink : Copy data to string using strcpy
13 * Flow Variant: 17 Control flow: for loops
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__char_alloca_cpy_17_bad()
24{
25 int i;
26 char * data;
27 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
28 memset(dataBuffer, 'A', 100-1);
29 dataBuffer[100-1] = '\0';
30 for(i = 0; i < 1; i++)
31 {
32 /* FLAW: Set data pointer to before the allocated memory buffer */
33 data = dataBuffer - 8;
34 }
35 {
36 char dest[100*2];
37 memset(dest, 'C', 100*2-1); /* fill with 'C's */
38 dest[100*2-1] = '\0'; /* null terminate */
39 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
40 strcpy(dest, data);❗VULN
41 printLine(dest);
42 }
43}
44
45#endif /* OMITBAD */
46
47#ifndef OMITGOOD
48
49/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */
50static void goodG2B()
51{
52 int h;
53 char * data;
54 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
55 memset(dataBuffer, 'A', 100-1);
56 dataBuffer[100-1] = '\0';
57 for(h = 0; h < 1; h++)
58 {
59 /* FIX: Set data pointer to the allocated memory buffer */
60 data = dataBuffer;
61 }
62 {
63 char dest[100*2];
64 memset(dest, 'C', 100*2-1); /* fill with 'C's */
65 dest[100*2-1] = '\0'; /* null terminate */
66 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
67 strcpy(dest, data);
68 printLine(dest);
69 }
70}
71
72void CWE127_Buffer_Underread__char_alloca_cpy_17_good()
73{
74 goodG2B();
75}
76
77#endif /* OMITGOOD */
78
79/* Below is the main(). It is only used when building this testcase on
80 * its own for testing or for building a binary to use in testing binary
81 * analysis tools. It is not used when compiling all the testcases as one
82 * application, which is how source code analysis tools are tested.
83 */
84
85#ifdef INCLUDEMAIN
86
87int main(int argc, char * argv[])
88{
89 /* seed randomness */
90 srand( (unsigned)time(NULL) );
91#ifndef OMITGOOD
92 printLine("Calling good()...");
93 CWE127_Buffer_Underread__char_alloca_cpy_17_good();
94 printLine("Finished good()");
95#endif /* OMITGOOD */
96#ifndef OMITBAD
97 printLine("Calling bad()...");
98 CWE127_Buffer_Underread__char_alloca_cpy_17_bad();
99 printLine("Finished bad()");
100#endif /* OMITBAD */
101 return 0;
102}
103
104#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 922: CWE124_Buffer_Underwrite__new_wchar_t_ncpy_18.cpp

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__new_wchar_t_ncpy_18.cpp
3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml
4Template File: sources-sink-18.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: ncpy
12 * BadSink : Copy string to data using wcsncpy
13 * Flow Variant: 18 Control flow: goto statements
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE124_Buffer_Underwrite__new_wchar_t_ncpy_18
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 wchar_t * data;
29 data = NULL;
30 goto source;
31source:
32 {
33 wchar_t * dataBuffer = new wchar_t[100];
34 wmemset(dataBuffer, L'A', 100-1);
35 dataBuffer[100-1] = L'\0';
36 /* FLAW: Set data pointer to before the allocated memory buffer */
37 data = dataBuffer - 8;
38 }
39 {
40 wchar_t source[100];
41 wmemset(source, L'C', 100-1); /* fill with 'C's */
42 source[100-1] = L'\0'; /* null terminate */
43 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
44 wcsncpy(data, source, 100-1);❗VULN
45 /* Ensure the destination buffer is null terminated */
46 data[100-1] = L'\0';
47 printWLine(data);
48 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
49 * returned by new [] so can't safely call delete [] on it */
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
58static void goodG2B()
59{
60 wchar_t * data;
61 data = NULL;
62 goto source;
63source:
64 {
65 wchar_t * dataBuffer = new wchar_t[100];
66 wmemset(dataBuffer, L'A', 100-1);
67 dataBuffer[100-1] = L'\0';
68 /* FIX: Set data pointer to the allocated memory buffer */
69 data = dataBuffer;
70 }
71 {
72 wchar_t source[100];
73 wmemset(source, L'C', 100-1); /* fill with 'C's */
74 source[100-1] = L'\0'; /* null terminate */
75 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
76 wcsncpy(data, source, 100-1);
77 /* Ensure the destination buffer is null terminated */
78 data[100-1] = L'\0';
79 printWLine(data);
80 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
81 * returned by new [] so can't safely call delete [] on it */
82 }
83}
84
85void good()
86{
87 goodG2B();
88}
89
90#endif /* OMITGOOD */
91
92} /* close namespace */
93
94/* Below is the main(). It is only used when building this testcase on
95 its own for testing or for building a binary to use in testing binary
96 analysis tools. It is not used when compiling all the testcases as one
97 application, which is how source code analysis tools are tested. */
98
99#ifdef INCLUDEMAIN
100
101using namespace CWE124_Buffer_Underwrite__new_wchar_t_ncpy_18; /* so that we can use good and bad easily */
102
103int main(int argc, char * argv[])
104{
105 /* seed randomness */
106 srand( (unsigned)time(NULL) );
107#ifndef OMITGOOD
108 printLine("Calling good()...");
109 good();
110 printLine("Finished good()");
111#endif /* OMITGOOD */
112#ifndef OMITBAD
113 printLine("Calling bad()...");
114 bad();
115 printLine("Finished bad()");
116#endif /* OMITBAD */
117 return 0;
118}
119
120#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6796: CWE124_Buffer_Underwrite__CWE839_fgets_22b.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__CWE839_fgets_22b.c
3Label Definition File: CWE124_Buffer_Underwrite__CWE839.label.xml
4Template File: sources-sinks-22b.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: fgets Read data from the console using fgets()
10 * GoodSource: Non-negative but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the lower bound
14 * Flow Variant: 22 Control flow: Flow controlled by value of a global variable. Sink functions are in a separate file from sources.
15 *
16 * */
17
18#include "std_testcase.h"
19
20#ifndef OMITBAD
21
22/* The global variable below is used to drive control flow in the sink function */
23extern int CWE124_Buffer_Underwrite__CWE839_fgets_22_badGlobal;
24
25void CWE124_Buffer_Underwrite__CWE839_fgets_22_badSink(int data)
26{
27 if(CWE124_Buffer_Underwrite__CWE839_fgets_22_badGlobal)
28 {
29 {
30 int i;
31 int buffer[10] = { 0 };
32 /* POTENTIAL FLAW: Attempt to access a negative index of the array
33 * This code does not check to see if the array index is negative */
34 if (data < 10)
35 {
36 buffer[data] = 1;❗VULN
37 /* Print the array values */
38 for(i = 0; i < 10; i++)
39 {
40 printIntLine(buffer[i]);
41 }
42 }
43 else
44 {
45 printLine("ERROR: Array index is negative.");
46 }
47 }
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* The global variables below are used to drive control flow in the sink functions. */
56extern int CWE124_Buffer_Underwrite__CWE839_fgets_22_goodB2G1Global;
57extern int CWE124_Buffer_Underwrite__CWE839_fgets_22_goodB2G2Global;
58extern int CWE124_Buffer_Underwrite__CWE839_fgets_22_goodG2BGlobal;
59
60/* goodB2G1() - use badsource and goodsink by setting the static variable to false instead of true */
61void CWE124_Buffer_Underwrite__CWE839_fgets_22_goodB2G1Sink(int data)
62{
63 if(CWE124_Buffer_Underwrite__CWE839_fgets_22_goodB2G1Global)
64 {
65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
66 printLine("Benign, fixed string");
67 }
68 else
69 {
70 {
71 int i;
72 int buffer[10] = { 0 };
73 /* FIX: Properly validate the array index and prevent a buffer underwrite */
74 if (data >= 0 && data < (10))
75 {
76 buffer[data] = 1;
77 /* Print the array values */
78 for(i = 0; i < 10; i++)
79 {
80 printIntLine(buffer[i]);
81 }
82 }
83 else
84 {
85 printLine("ERROR: Array index is out-of-bounds");
86 }
87 }
88 }
89}
90
91/* goodB2G2() - use badsource and goodsink by reversing the blocks in the if in the sink function */
92void CWE124_Buffer_Underwrite__CWE839_fgets_22_goodB2G2Sink(int data)
93{
94 if(CWE124_Buffer_Underwrite__CWE839_fgets_22_goodB2G2Global)
95 {
96 {
97 int i;
98 int buffer[10] = { 0 };
99 /* FIX: Properly validate the array index and prevent a buffer underwrite */
100 if (data >= 0 && data < (10))
101 {
102 buffer[data] = 1;
103 /* Print the array values */
104 for(i = 0; i < 10; i++)
105 {
106 printIntLine(buffer[i]);
107 }
108 }
109 else
110 {
111 printLine("ERROR: Array index is out-of-bounds");
112 }
113 }
114 }
115}
116
117/* goodG2B() - use goodsource and badsink */
118void CWE124_Buffer_Underwrite__CWE839_fgets_22_goodG2BSink(int data)
119{
120 if(CWE124_Buffer_Underwrite__CWE839_fgets_22_goodG2BGlobal)
121 {
122 {
123 int i;
124 int buffer[10] = { 0 };
125 /* POTENTIAL FLAW: Attempt to access a negative index of the array
126 * This code does not check to see if the array index is negative */
127 if (data < 10)
128 {
129 buffer[data] = 1;
130 /* Print the array values */
131 for(i = 0; i < 10; i++)
132 {
133 printIntLine(buffer[i]);
134 }
135 }
136 else
137 {
138 printLine("ERROR: Array index is negative.");
139 }
140 }
141 }
142}
143
144#endif /* OMITGOOD */

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9024: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_snprintf_42.c

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_snprintf_42.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4Template File: sources-sink-42.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sink: snprintf
12 * BadSink : Copy string to data using snprintf
13 * Flow Variant: 42 Data flow: data returned from one function to another in the same source file
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifdef _WIN32
22#define SNPRINTF _snprintf
23#else
24#define SNPRINTF snprintf
25#endif
26
27#ifndef OMITBAD
28
29static char * badSource(char * data)
30{
31 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
32 data = (char *)malloc(50*sizeof(char));
33 if (data == NULL) {exit(-1);}
34 data[0] = '\0'; /* null terminate */
35 return data;
36}
37
38void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_snprintf_42_bad()
39{
40 char * data;
41 data = NULL;
42 data = badSource(data);
43 {
44 char source[100];
45 memset(source, 'C', 100-1); /* fill with 'C's */
46 source[100-1] = '\0'; /* null terminate */
47 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
48 SNPRINTF(data, 100, "%s", source);❗VULN
49 printLine(data);
50 free(data);
51 }
52}
53
54#endif /* OMITBAD */
55
56#ifndef OMITGOOD
57
58static char * goodG2BSource(char * data)
59{
60 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
61 data = (char *)malloc(100*sizeof(char));
62 if (data == NULL) {exit(-1);}
63 data[0] = '\0'; /* null terminate */
64 return data;
65}
66
67/* goodG2B uses the GoodSource with the BadSink */
68static void goodG2B()
69{
70 char * data;
71 data = NULL;
72 data = goodG2BSource(data);
73 {
74 char source[100];
75 memset(source, 'C', 100-1); /* fill with 'C's */
76 source[100-1] = '\0'; /* null terminate */
77 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
78 SNPRINTF(data, 100, "%s", source);
79 printLine(data);
80 free(data);
81 }
82}
83
84void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_snprintf_42_good()
85{
86 goodG2B();
87}
88
89#endif /* OMITGOOD */
90
91/* Below is the main(). It is only used when building this testcase on
92 * its own for testing or for building a binary to use in testing binary
93 * analysis tools. It is not used when compiling all the testcases as one
94 * application, which is how source code analysis tools are tested.
95 */
96
97#ifdef INCLUDEMAIN
98
99int main(int argc, char * argv[])
100{
101 /* seed randomness */
102 srand( (unsigned)time(NULL) );
103#ifndef OMITGOOD
104 printLine("Calling good()...");
105 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_snprintf_42_good();
106 printLine("Finished good()");
107#endif /* OMITGOOD */
108#ifndef OMITBAD
109 printLine("Calling bad()...");
110 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_snprintf_42_bad();
111 printLine("Finished bad()");
112#endif /* OMITBAD */
113 return 0;
114}
115
116#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 343: CWE124_Buffer_Underwrite__char_declare_cpy_16.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__char_declare_cpy_16.c
3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml
4Template File: sources-sink-16.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: cpy
12 * BadSink : Copy string to data using strcpy
13 * Flow Variant: 16 Control flow: while(1)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE124_Buffer_Underwrite__char_declare_cpy_16_bad()
24{
25 char * data;
26 char dataBuffer[100];
27 memset(dataBuffer, 'A', 100-1);
28 dataBuffer[100-1] = '\0';
29 while(1)
30 {
31 /* FLAW: Set data pointer to before the allocated memory buffer */
32 data = dataBuffer - 8;
33 break;
34 }
35 {
36 char source[100];
37 memset(source, 'C', 100-1); /* fill with 'C's */
38 source[100-1] = '\0'; /* null terminate */
39 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
40 strcpy(data, source);❗VULN
41 printLine(data);
42 }
43}
44
45#endif /* OMITBAD */
46
47#ifndef OMITGOOD
48
49/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */
50static void goodG2B()
51{
52 char * data;
53 char dataBuffer[100];
54 memset(dataBuffer, 'A', 100-1);
55 dataBuffer[100-1] = '\0';
56 while(1)
57 {
58 /* FIX: Set data pointer to the allocated memory buffer */
59 data = dataBuffer;
60 break;
61 }
62 {
63 char source[100];
64 memset(source, 'C', 100-1); /* fill with 'C's */
65 source[100-1] = '\0'; /* null terminate */
66 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
67 strcpy(data, source);
68 printLine(data);
69 }
70}
71
72void CWE124_Buffer_Underwrite__char_declare_cpy_16_good()
73{
74 goodG2B();
75}
76
77#endif /* OMITGOOD */
78
79/* Below is the main(). It is only used when building this testcase on
80 * its own for testing or for building a binary to use in testing binary
81 * analysis tools. It is not used when compiling all the testcases as one
82 * application, which is how source code analysis tools are tested.
83 */
84
85#ifdef INCLUDEMAIN
86
87int main(int argc, char * argv[])
88{
89 /* seed randomness */
90 srand( (unsigned)time(NULL) );
91#ifndef OMITGOOD
92 printLine("Calling good()...");
93 CWE124_Buffer_Underwrite__char_declare_cpy_16_good();
94 printLine("Finished good()");
95#endif /* OMITGOOD */
96#ifndef OMITBAD
97 printLine("Calling bad()...");
98 CWE124_Buffer_Underwrite__char_declare_cpy_16_bad();
99 printLine("Finished bad()");
100#endif /* OMITBAD */
101 return 0;
102}
103
104#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3850: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_memmove_32.cpp

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_memmove_32.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml
4Template File: sources-sink-32.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: memmove
12 * BadSink : Copy string to data using memmove
13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_memmove_32
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 wchar_t * data;
29 wchar_t * *dataPtr1 = &data;
30 wchar_t * *dataPtr2 = &data;
31 data = NULL;
32 {
33 wchar_t * data = *dataPtr1;
34 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
35 data = new wchar_t[50];
36 data[0] = L'\0'; /* null terminate */
37 *dataPtr1 = data;
38 }
39 {
40 wchar_t * data = *dataPtr2;
41 {
42 wchar_t source[100];
43 wmemset(source, L'C', 100-1); /* fill with L'C's */
44 source[100-1] = L'\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
46 memmove(data, source, 100*sizeof(wchar_t));❗VULN
47 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
48 printWLine(data);
49 delete [] data;
50 }
51 }
52}
53
54#endif /* OMITBAD */
55
56#ifndef OMITGOOD
57
58/* goodG2B() uses the GoodSource with the BadSink */
59static void goodG2B()
60{
61 wchar_t * data;
62 wchar_t * *dataPtr1 = &data;
63 wchar_t * *dataPtr2 = &data;
64 data = NULL;
65 {
66 wchar_t * data = *dataPtr1;
67 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
68 data = new wchar_t[100];
69 data[0] = L'\0'; /* null terminate */
70 *dataPtr1 = data;
71 }
72 {
73 wchar_t * data = *dataPtr2;
74 {
75 wchar_t source[100];
76 wmemset(source, L'C', 100-1); /* fill with L'C's */
77 source[100-1] = L'\0'; /* null terminate */
78 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
79 memmove(data, source, 100*sizeof(wchar_t));
80 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
81 printWLine(data);
82 delete [] data;
83 }
84 }
85}
86
87void good()
88{
89 goodG2B();
90}
91
92#endif /* OMITGOOD */
93
94} /* close namespace */
95
96/* Below is the main(). It is only used when building this testcase on
97 its own for testing or for building a binary to use in testing binary
98 analysis tools. It is not used when compiling all the testcases as one
99 application, which is how source code analysis tools are tested. */
100#ifdef INCLUDEMAIN
101
102using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_memmove_32; /* so that we can use good and bad easily */
103
104int main(int argc, char * argv[])
105{
106 /* seed randomness */
107 srand( (unsigned)time(NULL) );
108#ifndef OMITGOOD
109 printLine("Calling good()...");
110 good();
111 printLine("Finished good()");
112#endif /* OMITGOOD */
113#ifndef OMITBAD
114 printLine("Calling bad()...");
115 bad();
116 printLine("Finished bad()");
117#endif /* OMITBAD */
118 return 0;
119}
120
121#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 697: CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_07.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_07.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE131.label.xml
4Template File: sources-sink-07.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory without using sizeof(int)
10 * GoodSource: Allocate memory using sizeof(int)
11 * Sink: loop
12 * BadSink : Copy array to data using a loop
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19/* The variable below is not declared "const", but is never assigned
20 * any other value so a tool should be able to identify that reads of
21 * this will always give its initialized value.
22 */
23static int staticFive = 5;
24
25#ifndef OMITBAD
26
27void CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_07_bad()
28{
29 int * data;
30 data = NULL;
31 if(staticFive==5)
32 {
33 /* FLAW: Allocate memory without using sizeof(int) */
34 data = (int *)malloc(10);
35 if (data == NULL) {exit(-1);}
36 }
37 {
38 int source[10] = {0};
39 size_t i;
40 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
41 for (i = 0; i < 10; i++)
42 {
43 data[i] = source[i];❗VULN
44 }
45 printIntLine(data[0]);
46 free(data);
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
55static void goodG2B1()
56{
57 int * data;
58 data = NULL;
59 if(staticFive!=5)
60 {
61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
62 printLine("Benign, fixed string");
63 }
64 else
65 {
66 /* FIX: Allocate memory using sizeof(int) */
67 data = (int *)malloc(10*sizeof(int));
68 if (data == NULL) {exit(-1);}
69 }
70 {
71 int source[10] = {0};
72 size_t i;
73 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
74 for (i = 0; i < 10; i++)
75 {
76 data[i] = source[i];
77 }
78 printIntLine(data[0]);
79 free(data);
80 }
81}
82
83/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
84static void goodG2B2()
85{
86 int * data;
87 data = NULL;
88 if(staticFive==5)
89 {
90 /* FIX: Allocate memory using sizeof(int) */
91 data = (int *)malloc(10*sizeof(int));
92 if (data == NULL) {exit(-1);}
93 }
94 {
95 int source[10] = {0};
96 size_t i;
97 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
98 for (i = 0; i < 10; i++)
99 {
100 data[i] = source[i];
101 }
102 printIntLine(data[0]);
103 free(data);
104 }
105}
106
107void CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_07_good()
108{
109 goodG2B1();
110 goodG2B2();
111}
112
113#endif /* OMITGOOD */
114
115/* Below is the main(). It is only used when building this testcase on
116 * its own for testing or for building a binary to use in testing binary
117 * analysis tools. It is not used when compiling all the testcases as one
118 * application, which is how source code analysis tools are tested.
119 */
120
121#ifdef INCLUDEMAIN
122
123int main(int argc, char * argv[])
124{
125 /* seed randomness */
126 srand( (unsigned)time(NULL) );
127#ifndef OMITGOOD
128 printLine("Calling good()...");
129 CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_07_good();
130 printLine("Finished good()");
131#endif /* OMITGOOD */
132#ifndef OMITBAD
133 printLine("Calling bad()...");
134 CWE122_Heap_Based_Buffer_Overflow__CWE131_loop_07_bad();
135 printLine("Finished bad()");
136#endif /* OMITBAD */
137 return 0;
138}
139
140#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5593: CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_04.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_04.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml
4Template File: sources-sink-04.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: cpy
12 * BadSink : Copy string to data using wcscpy
13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are declared "const", so a tool should
22 * be able to identify that reads of these will always return their
23 * initialized values.
24 */
25static const int STATIC_CONST_TRUE = 1; /* true */
26static const int STATIC_CONST_FALSE = 0; /* false */
27
28#ifndef OMITBAD
29
30void CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_04_bad()
31{
32 wchar_t * data;
33 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
34 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
35 if(STATIC_CONST_TRUE)
36 {
37 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
38 * buffer in various memory copying functions using a "large" source buffer. */
39 data = dataBadBuffer;
40 data[0] = L'\0'; /* null terminate */
41 }
42 {
43 wchar_t source[100];
44 wmemset(source, L'C', 100-1); /* fill with L'C's */
45 source[100-1] = L'\0'; /* null terminate */
46 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
47 wcscpy(data, source);❗VULN
48 printWLine(data);
49 }
50}
51
52#endif /* OMITBAD */
53
54#ifndef OMITGOOD
55
56/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */
57static void goodG2B1()
58{
59 wchar_t * data;
60 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
61 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
62 if(STATIC_CONST_FALSE)
63 {
64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
65 printLine("Benign, fixed string");
66 }
67 else
68 {
69 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
70 data = dataGoodBuffer;
71 data[0] = L'\0'; /* null terminate */
72 }
73 {
74 wchar_t source[100];
75 wmemset(source, L'C', 100-1); /* fill with L'C's */
76 source[100-1] = L'\0'; /* null terminate */
77 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
78 wcscpy(data, source);
79 printWLine(data);
80 }
81}
82
83/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
84static void goodG2B2()
85{
86 wchar_t * data;
87 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
88 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
89 if(STATIC_CONST_TRUE)
90 {
91 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
92 data = dataGoodBuffer;
93 data[0] = L'\0'; /* null terminate */
94 }
95 {
96 wchar_t source[100];
97 wmemset(source, L'C', 100-1); /* fill with L'C's */
98 source[100-1] = L'\0'; /* null terminate */
99 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
100 wcscpy(data, source);
101 printWLine(data);
102 }
103}
104
105void CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_04_good()
106{
107 goodG2B1();
108 goodG2B2();
109}
110
111#endif /* OMITGOOD */
112
113/* Below is the main(). It is only used when building this testcase on
114 * its own for testing or for building a binary to use in testing binary
115 * analysis tools. It is not used when compiling all the testcases as one
116 * application, which is how source code analysis tools are tested.
117 */
118
119#ifdef INCLUDEMAIN
120
121int main(int argc, char * argv[])
122{
123 /* seed randomness */
124 srand( (unsigned)time(NULL) );
125#ifndef OMITGOOD
126 printLine("Calling good()...");
127 CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_04_good();
128 printLine("Finished good()");
129#endif /* OMITGOOD */
130#ifndef OMITBAD
131 printLine("Calling bad()...");
132 CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_04_bad();
133 printLine("Finished bad()");
134#endif /* OMITBAD */
135 return 0;
136}
137
138#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2537: CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_cpy_32.c

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_cpy_32.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml
4Template File: sources-sink-32.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Point data to a buffer that does not have space for a NULL terminator
10 * GoodSource: Point data to a buffer that includes space for a NULL terminator
11 * Sink: cpy
12 * BadSink : Copy string to data using wcscpy()
13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING L"AAAAAAAAAA"
25
26#ifndef OMITBAD
27
28void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_cpy_32_bad()
29{
30 wchar_t * data;
31 wchar_t * *dataPtr1 = &data;
32 wchar_t * *dataPtr2 = &data;
33 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA((10)*sizeof(wchar_t));
34 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA((10+1)*sizeof(wchar_t));
35 {
36 wchar_t * data = *dataPtr1;
37 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing
38 * string copies in the sinks */
39 data = dataBadBuffer;
40 data[0] = L'\0'; /* null terminate */
41 *dataPtr1 = data;
42 }
43 {
44 wchar_t * data = *dataPtr2;
45 {
46 wchar_t source[10+1] = SRC_STRING;
47 /* POTENTIAL FLAW: data may not have enough space to hold source */
48 wcscpy(data, source);❗VULN
49 printWLine(data);
50 }
51 }
52}
53
54#endif /* OMITBAD */
55
56#ifndef OMITGOOD
57
58/* goodG2B() uses the GoodSource with the BadSink */
59static void goodG2B()
60{
61 wchar_t * data;
62 wchar_t * *dataPtr1 = &data;
63 wchar_t * *dataPtr2 = &data;
64 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA((10)*sizeof(wchar_t));
65 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA((10+1)*sizeof(wchar_t));
66 {
67 wchar_t * data = *dataPtr1;
68 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
69 * string copies in the sinks */
70 data = dataGoodBuffer;
71 data[0] = L'\0'; /* null terminate */
72 *dataPtr1 = data;
73 }
74 {
75 wchar_t * data = *dataPtr2;
76 {
77 wchar_t source[10+1] = SRC_STRING;
78 /* POTENTIAL FLAW: data may not have enough space to hold source */
79 wcscpy(data, source);
80 printWLine(data);
81 }
82 }
83}
84
85void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_cpy_32_good()
86{
87 goodG2B();
88}
89
90#endif /* OMITGOOD */
91
92/* Below is the main(). It is only used when building this testcase on
93 * its own for testing or for building a binary to use in testing binary
94 * analysis tools. It is not used when compiling all the testcases as one
95 * application, which is how source code analysis tools are tested.
96 */
97#ifdef INCLUDEMAIN
98
99int main(int argc, char * argv[])
100{
101 /* seed randomness */
102 srand( (unsigned)time(NULL) );
103#ifndef OMITGOOD
104 printLine("Calling good()...");
105 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_cpy_32_good();
106 printLine("Finished good()");
107#endif /* OMITGOOD */
108#ifndef OMITBAD
109 printLine("Calling bad()...");
110 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_cpy_32_bad();
111 printLine("Finished bad()");
112#endif /* OMITBAD */
113 return 0;
114}
115
116#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1912: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_21.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_21.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4Template File: sources-sink-21.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sink: ncat
12 * BadSink : Copy string to data using strncat
13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23/* The static variable below is used to drive control flow in the source function */
24static int badStatic = 0;
25
26static char * badSource(char * data)
27{
28 if(badStatic)
29 {
30 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
31 data = (char *)malloc(50*sizeof(char));
32 if (data == NULL) {exit(-1);}
33 data[0] = '\0'; /* null terminate */
34 }
35 return data;
36}
37
38void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_21_bad()
39{
40 char * data;
41 data = NULL;
42 badStatic = 1; /* true */
43 data = badSource(data);
44 {
45 char source[100];
46 memset(source, 'C', 100-1); /* fill with 'C's */
47 source[100-1] = '\0'; /* null terminate */
48 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
49 strncat(data, source, 100);❗VULN
50 printLine(data);
51 free(data);
52 }
53}
54
55#endif /* OMITBAD */
56
57#ifndef OMITGOOD
58
59/* The static variables below are used to drive control flow in the source functions. */
60static int goodG2B1Static = 0;
61static int goodG2B2Static = 0;
62
63/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */
64static char * goodG2B1Source(char * data)
65{
66 if(goodG2B1Static)
67 {
68 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
69 printLine("Benign, fixed string");
70 }
71 else
72 {
73 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
74 data = (char *)malloc(100*sizeof(char));
75 if (data == NULL) {exit(-1);}
76 data[0] = '\0'; /* null terminate */
77 }
78 return data;
79}
80
81static void goodG2B1()
82{
83 char * data;
84 data = NULL;
85 goodG2B1Static = 0; /* false */
86 data = goodG2B1Source(data);
87 {
88 char source[100];
89 memset(source, 'C', 100-1); /* fill with 'C's */
90 source[100-1] = '\0'; /* null terminate */
91 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
92 strncat(data, source, 100);
93 printLine(data);
94 free(data);
95 }
96}
97
98/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */
99static char * goodG2B2Source(char * data)
100{
101 if(goodG2B2Static)
102 {
103 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
104 data = (char *)malloc(100*sizeof(char));
105 if (data == NULL) {exit(-1);}
106 data[0] = '\0'; /* null terminate */
107 }
108 return data;
109}
110
111static void goodG2B2()
112{
113 char * data;
114 data = NULL;
115 goodG2B2Static = 1; /* true */
116 data = goodG2B2Source(data);
117 {
118 char source[100];
119 memset(source, 'C', 100-1); /* fill with 'C's */
120 source[100-1] = '\0'; /* null terminate */
121 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
122 strncat(data, source, 100);
123 printLine(data);
124 free(data);
125 }
126}
127
128void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_21_good()
129{
130 goodG2B1();
131 goodG2B2();
132}
133
134#endif /* OMITGOOD */
135
136/* Below is the main(). It is only used when building this testcase on
137 * its own for testing or for building a binary to use in testing binary
138 * analysis tools. It is not used when compiling all the testcases as one
139 * application, which is how source code analysis tools are tested.
140 */
141
142#ifdef INCLUDEMAIN
143
144int main(int argc, char * argv[])
145{
146 /* seed randomness */
147 srand( (unsigned)time(NULL) );
148#ifndef OMITGOOD
149 printLine("Calling good()...");
150 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_21_good();
151 printLine("Finished good()");
152#endif /* OMITGOOD */
153#ifndef OMITBAD
154 printLine("Calling bad()...");
155 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_char_ncat_21_bad();
156 printLine("Finished bad()");
157#endif /* OMITBAD */
158 return 0;
159}
160
161#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5552: CWE124_Buffer_Underwrite__CWE839_fgets_12.c

Nodes: 27 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__CWE839_fgets_12.c
3Label Definition File: CWE124_Buffer_Underwrite__CWE839.label.xml
4Template File: sources-sinks-12.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: fgets Read data from the console using fgets()
10 * GoodSource: Non-negative but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the lower bound
14 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())
15 *
16 * */
17
18#include "std_testcase.h"
19
20#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)
21
22#ifndef OMITBAD
23
24void CWE124_Buffer_Underwrite__CWE839_fgets_12_bad()
25{
26 int data;
27 /* Initialize data */
28 data = -1;
29 if(globalReturnsTrueOrFalse())
30 {
31 {
32 char inputBuffer[CHAR_ARRAY_SIZE] = "";
33 /* POTENTIAL FLAW: Read data from the console using fgets() */
34 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)
35 {
36 /* Convert to int */
37 data = atoi(inputBuffer);
38 }
39 else
40 {
41 printLine("fgets() failed.");
42 }
43 }
44 }
45 else
46 {
47 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
48 * access an index of the array in the sink that is out-of-bounds */
49 data = 7;
50 }
51 if(globalReturnsTrueOrFalse())
52 {
53 {
54 int i;
55 int buffer[10] = { 0 };
56 /* POTENTIAL FLAW: Attempt to access a negative index of the array
57 * This code does not check to see if the array index is negative */
58 if (data < 10)
59 {
60 buffer[data] = 1;❗VULN
61 /* Print the array values */
62 for(i = 0; i < 10; i++)
63 {
64 printIntLine(buffer[i]);
65 }
66 }
67 else
68 {
69 printLine("ERROR: Array index is negative.");
70 }
71 }
72 }
73 else
74 {
75 {
76 int i;
77 int buffer[10] = { 0 };
78 /* FIX: Properly validate the array index and prevent a buffer underwrite */
79 if (data >= 0 && data < (10))
80 {
81 buffer[data] = 1;
82 /* Print the array values */
83 for(i = 0; i < 10; i++)
84 {
85 printIntLine(buffer[i]);
86 }
87 }
88 else
89 {
90 printLine("ERROR: Array index is out-of-bounds");
91 }
92 }
93 }
94}
95
96#endif /* OMITBAD */
97
98#ifndef OMITGOOD
99
100/* goodB2G() - use badsource and goodsink by changing the first "if" so that
101 both branches use the BadSource and the second "if" so that both branches
102 use the GoodSink */
103static void goodB2G()
104{
105 int data;
106 /* Initialize data */
107 data = -1;
108 if(globalReturnsTrueOrFalse())
109 {
110 {
111 char inputBuffer[CHAR_ARRAY_SIZE] = "";
112 /* POTENTIAL FLAW: Read data from the console using fgets() */
113 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)
114 {
115 /* Convert to int */
116 data = atoi(inputBuffer);
117 }
118 else
119 {
120 printLine("fgets() failed.");
121 }
122 }
123 }
124 else
125 {
126 {
127 char inputBuffer[CHAR_ARRAY_SIZE] = "";
128 /* POTENTIAL FLAW: Read data from the console using fgets() */
129 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)
130 {
131 /* Convert to int */
132 data = atoi(inputBuffer);
133 }
134 else
135 {
136 printLine("fgets() failed.");
137 }
138 }
139 }
140 if(globalReturnsTrueOrFalse())
141 {
142 {
143 int i;
144 int buffer[10] = { 0 };
145 /* FIX: Properly validate the array index and prevent a buffer underwrite */
146 if (data >= 0 && data < (10))
147 {
148 buffer[data] = 1;
149 /* Print the array values */
150 for(i = 0; i < 10; i++)
151 {
152 printIntLine(buffer[i]);
153 }
154 }
155 else
156 {
157 printLine("ERROR: Array index is out-of-bounds");
158 }
159 }
160 }
161 else
162 {
163 {
164 int i;
165 int buffer[10] = { 0 };
166 /* FIX: Properly validate the array index and prevent a buffer underwrite */
167 if (data >= 0 && data < (10))
168 {
169 buffer[data] = 1;
170 /* Print the array values */
171 for(i = 0; i < 10; i++)
172 {
173 printIntLine(buffer[i]);
174 }
175 }
176 else
177 {
178 printLine("ERROR: Array index is out-of-bounds");
179 }
180 }
181 }
182}
183
184/* goodG2B() - use goodsource and badsink by changing the first "if" so that
185 both branches use the GoodSource and the second "if" so that both branches
186 use the BadSink */
187static void goodG2B()
188{
189 int data;
190 /* Initialize data */
191 data = -1;
192 if(globalReturnsTrueOrFalse())
193 {
194 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
195 * access an index of the array in the sink that is out-of-bounds */
196 data = 7;
197 }
198 else
199 {
200 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
201 * access an index of the array in the sink that is out-of-bounds */
202 data = 7;
203 }
204 if(globalReturnsTrueOrFalse())
205 {
206 {
207 int i;
208 int buffer[10] = { 0 };
209 /* POTENTIAL FLAW: Attempt to access a negative index of the array
210 * This code does not check to see if the array index is negative */
211 if (data < 10)
212 {
213 buffer[data] = 1;
214 /* Print the array values */
215 for(i = 0; i < 10; i++)
216 {
217 printIntLine(buffer[i]);
218 }
219 }
220 else
221 {
222 printLine("ERROR: Array index is negative.");
223 }
224 }
225 }
226 else
227 {
228 {
229 int i;
230 int buffer[10] = { 0 };
231 /* POTENTIAL FLAW: Attempt to access a negative index of the array
232 * This code does not check to see if the array index is negative */
233 if (data < 10)
234 {
235 buffer[data] = 1;
236 /* Print the array values */
237 for(i = 0; i < 10; i++)
238 {
239 printIntLine(buffer[i]);
240 }
241 }
242 else
243 {
244 printLine("ERROR: Array index is negative.");
245 }
246 }
247 }
248}
249
250void CWE124_Buffer_Underwrite__CWE839_fgets_12_good()
251{
252 goodB2G();
253 goodG2B();
254}
255
256#endif /* OMITGOOD */
257
258/* Below is the main(). It is only used when building this testcase on
259 its own for testing or for building a binary to use in testing binary
260 analysis tools. It is not used when compiling all the testcases as one
261 application, which is how source code analysis tools are tested. */
262
263#ifdef INCLUDEMAIN
264
265int main(int argc, char * argv[])
266{
267 /* seed randomness */
268 srand( (unsigned)time(NULL) );
269#ifndef OMITGOOD
270 printLine("Calling good()...");
271 CWE124_Buffer_Underwrite__CWE839_fgets_12_good();
272 printLine("Finished good()");
273#endif /* OMITGOOD */
274#ifndef OMITBAD
275 printLine("Calling bad()...");
276 CWE124_Buffer_Underwrite__CWE839_fgets_12_bad();
277 printLine("Finished bad()");
278#endif /* OMITBAD */
279 return 0;
280}
281
282#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6829: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_18.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_18.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml
4Template File: sources-sink-18.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: snprintf
12 * BadSink : Copy data to string using snprintf
13 * Flow Variant: 18 Control flow: goto statements
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifdef _WIN32
22#define SNPRINTF _snprintf
23#else
24#define SNPRINTF snprintf
25#endif
26
27#ifndef OMITBAD
28
29void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_18_bad()
30{
31 char * data;
32 data = (char *)malloc(100*sizeof(char));
33 if (data == NULL) {exit(-1);}
34 goto source;
35source:
36 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
37 memset(data, 'A', 100-1); /* fill with 'A's */
38 data[100-1] = '\0'; /* null terminate */
39 {
40 char dest[50] = "";
41 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
42 SNPRINTF(dest, strlen(data), "%s", data);❗VULN
43 printLine(data);
44 free(data);
45 }
46}
47
48#endif /* OMITBAD */
49
50#ifndef OMITGOOD
51
52/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
53static void goodG2B()
54{
55 char * data;
56 data = (char *)malloc(100*sizeof(char));
57 if (data == NULL) {exit(-1);}
58 goto source;
59source:
60 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
61 memset(data, 'A', 50-1); /* fill with 'A's */
62 data[50-1] = '\0'; /* null terminate */
63 {
64 char dest[50] = "";
65 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
66 SNPRINTF(dest, strlen(data), "%s", data);
67 printLine(data);
68 free(data);
69 }
70}
71
72void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_18_good()
73{
74 goodG2B();
75}
76
77#endif /* OMITGOOD */
78
79/* Below is the main(). It is only used when building this testcase on
80 * its own for testing or for building a binary to use in testing binary
81 * analysis tools. It is not used when compiling all the testcases as one
82 * application, which is how source code analysis tools are tested.
83 */
84
85#ifdef INCLUDEMAIN
86
87int main(int argc, char * argv[])
88{
89 /* seed randomness */
90 srand( (unsigned)time(NULL) );
91#ifndef OMITGOOD
92 printLine("Calling good()...");
93 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_18_good();
94 printLine("Finished good()");
95#endif /* OMITGOOD */
96#ifndef OMITBAD
97 printLine("Calling bad()...");
98 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_snprintf_18_bad();
99 printLine("Finished bad()");
100#endif /* OMITBAD */
101 return 0;
102}
103
104#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5585: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_02.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_02.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml
4Template File: sources-sink-02.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 02 Control flow: if(1) and if(0)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_02_bad()
24{
25 wchar_t * data;
26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
27 data = dataBuffer;
28 if(1)
29 {
30 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
31 wmemset(data, L'A', 100-1); /* fill with L'A's */
32 data[100-1] = L'\0'; /* null terminate */
33 }
34 {
35 wchar_t dest[50] = L"";
36 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
37 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));❗VULN
38 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
39 printWLine(data);
40 }
41}
42
43#endif /* OMITBAD */
44
45#ifndef OMITGOOD
46
47/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */
48static void goodG2B1()
49{
50 wchar_t * data;
51 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
52 data = dataBuffer;
53 if(0)
54 {
55 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
56 printLine("Benign, fixed string");
57 }
58 else
59 {
60 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
61 wmemset(data, L'A', 50-1); /* fill with L'A's */
62 data[50-1] = L'\0'; /* null terminate */
63 }
64 {
65 wchar_t dest[50] = L"";
66 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
67 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));
68 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
69 printWLine(data);
70 }
71}
72
73/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
74static void goodG2B2()
75{
76 wchar_t * data;
77 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
78 data = dataBuffer;
79 if(1)
80 {
81 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
82 wmemset(data, L'A', 50-1); /* fill with L'A's */
83 data[50-1] = L'\0'; /* null terminate */
84 }
85 {
86 wchar_t dest[50] = L"";
87 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
88 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));
89 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
90 printWLine(data);
91 }
92}
93
94void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_02_good()
95{
96 goodG2B1();
97 goodG2B2();
98}
99
100#endif /* OMITGOOD */
101
102/* Below is the main(). It is only used when building this testcase on
103 * its own for testing or for building a binary to use in testing binary
104 * analysis tools. It is not used when compiling all the testcases as one
105 * application, which is how source code analysis tools are tested.
106 */
107
108#ifdef INCLUDEMAIN
109
110int main(int argc, char * argv[])
111{
112 /* seed randomness */
113 srand( (unsigned)time(NULL) );
114#ifndef OMITGOOD
115 printLine("Calling good()...");
116 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_02_good();
117 printLine("Finished good()");
118#endif /* OMITGOOD */
119#ifndef OMITBAD
120 printLine("Calling bad()...");
121 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_02_bad();
122 printLine("Finished bad()");
123#endif /* OMITBAD */
124 return 0;
125}
126
127#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7760: CWE126_Buffer_Overread__CWE129_fscanf_33.cpp

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__CWE129_fscanf_33.cpp
3Label Definition File: CWE126_Buffer_Overread__CWE129.label.xml
4Template File: sources-sinks-33.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Overread
9 * BadSource: fscanf Read data from the console using fscanf()
10 * GoodSource: Larger than zero but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the upper bound
14 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function
15 *
16 * */
17
18#include "std_testcase.h"
19
20namespace CWE126_Buffer_Overread__CWE129_fscanf_33
21{
22
23#ifndef OMITBAD
24
25void bad()
26{
27 int data;
28 int &dataRef = data;
29 /* Initialize data */
30 data = -1;
31 /* POTENTIAL FLAW: Read data from the console using fscanf() */
32 fscanf(stdin, "%d", &data);
33 {
34 int data = dataRef;
35 {
36 int buffer[10] = { 0 };
37 /* POTENTIAL FLAW: Attempt to access an index of the array that is above the upper bound
38 * This check does not check the upper bounds of the array index */
39 if (data >= 0)
40 {
41 printIntLine(buffer[data]);❗VULN
42 }
43 else
44 {
45 printLine("ERROR: Array index is negative");
46 }
47 }
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B() uses the GoodSource with the BadSink */
56static void goodG2B()
57{
58 int data;
59 int &dataRef = data;
60 /* Initialize data */
61 data = -1;
62 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
63 * access an index of the array in the sink that is out-of-bounds */
64 data = 7;
65 {
66 int data = dataRef;
67 {
68 int buffer[10] = { 0 };
69 /* POTENTIAL FLAW: Attempt to access an index of the array that is above the upper bound
70 * This check does not check the upper bounds of the array index */
71 if (data >= 0)
72 {
73 printIntLine(buffer[data]);
74 }
75 else
76 {
77 printLine("ERROR: Array index is negative");
78 }
79 }
80 }
81}
82
83/* goodB2G() uses the BadSource with the GoodSink */
84static void goodB2G()
85{
86 int data;
87 int &dataRef = data;
88 /* Initialize data */
89 data = -1;
90 /* POTENTIAL FLAW: Read data from the console using fscanf() */
91 fscanf(stdin, "%d", &data);
92 {
93 int data = dataRef;
94 {
95 int buffer[10] = { 0 };
96 /* FIX: Properly validate the array index and prevent a buffer overread */
97 if (data >= 0 && data < (10))
98 {
99 printIntLine(buffer[data]);
100 }
101 else
102 {
103 printLine("ERROR: Array index is out-of-bounds");
104 }
105 }
106 }
107}
108
109void good()
110{
111 goodG2B();
112 goodB2G();
113}
114
115#endif /* OMITGOOD */
116
117} /* close namespace */
118
119/* Below is the main(). It is only used when building this testcase on
120 its own for testing or for building a binary to use in testing binary
121 analysis tools. It is not used when compiling all the testcases as one
122 application, which is how source code analysis tools are tested. */
123#ifdef INCLUDEMAIN
124
125using namespace CWE126_Buffer_Overread__CWE129_fscanf_33; /* so that we can use good and bad easily */
126
127int main(int argc, char * argv[])
128{
129 /* seed randomness */
130 srand( (unsigned)time(NULL) );
131#ifndef OMITGOOD
132 printLine("Calling good()...");
133 good();
134 printLine("Finished good()");
135#endif /* OMITGOOD */
136#ifndef OMITBAD
137 printLine("Calling bad()...");
138 bad();
139 printLine("Finished bad()");
140#endif /* OMITBAD */
141 return 0;
142}
143
144#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7179: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_ncat_31.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_ncat_31.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml
4Template File: sources-sink-31.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sinks: ncat
12 * BadSink : Copy data to string using wcsncat
13 * Flow Variant: 31 Data flow using a copy of data within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_ncat_31_bad()
24{
25 wchar_t * data;
26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
27 data = dataBuffer;
28 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
29 wmemset(data, L'A', 100-1); /* fill with L'A's */
30 data[100-1] = L'\0'; /* null terminate */
31 {
32 wchar_t * dataCopy = data;
33 wchar_t * data = dataCopy;
34 {
35 wchar_t dest[50] = L"";
36 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-wcslen(dest)*/
37 wcsncat(dest, data, wcslen(data));❗VULN
38 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
39 printWLine(data);
40 }
41 }
42}
43
44#endif /* OMITBAD */
45
46#ifndef OMITGOOD
47
48/* goodG2B() uses the GoodSource with the BadSink */
49static void goodG2B()
50{
51 wchar_t * data;
52 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
53 data = dataBuffer;
54 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
55 wmemset(data, L'A', 50-1); /* fill with L'A's */
56 data[50-1] = L'\0'; /* null terminate */
57 {
58 wchar_t * dataCopy = data;
59 wchar_t * data = dataCopy;
60 {
61 wchar_t dest[50] = L"";
62 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-wcslen(dest)*/
63 wcsncat(dest, data, wcslen(data));
64 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
65 printWLine(data);
66 }
67 }
68}
69
70void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_ncat_31_good()
71{
72 goodG2B();
73}
74
75#endif /* OMITGOOD */
76
77/* Below is the main(). It is only used when building this testcase on
78 * its own for testing or for building a binary to use in testing binary
79 * analysis tools. It is not used when compiling all the testcases as one
80 * application, which is how source code analysis tools are tested.
81 */
82#ifdef INCLUDEMAIN
83
84int main(int argc, char * argv[])
85{
86 /* seed randomness */
87 srand( (unsigned)time(NULL) );
88#ifndef OMITGOOD
89 printLine("Calling good()...");
90 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_ncat_31_good();
91 printLine("Finished good()");
92#endif /* OMITGOOD */
93#ifndef OMITBAD
94 printLine("Calling bad()...");
95 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_ncat_31_bad();
96 printLine("Finished bad()");
97#endif /* OMITBAD */
98 return 0;
99}
100
101#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4021: CWE122_Heap_Based_Buffer_Overflow__CWE135_74b.cpp

Nodes: 9 | Sink Nodes: 3 predicted, 2 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE135_74b.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE135.label.xml
4Template File: sources-sinks-74b.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Void pointer to a wchar_t array
10 * GoodSource: Void pointer to a char array
11 * Sinks:
12 * GoodSink: Allocate memory using wcslen() and copy data
13 * BadSink : Allocate memory using strlen() and copy data
14 * Flow Variant: 74 Data flow: data passed in a map from one function to another in different source files
15 *
16 * */
17
18#include "std_testcase.h"
19#include <map>
20
21#include <wchar.h>
22
23using namespace std;
24
25namespace CWE122_Heap_Based_Buffer_Overflow__CWE135_74
26{
27
28#ifndef OMITBAD
29
30void badSink(map<int, void *> dataMap)
31{
32 /* copy data out of dataMap */
33 void * data = dataMap[2];
34 {
35 /* POTENTIAL FLAW: treating pointer as a char* when it may point to a wide string */
36 size_t dataLen = strlen((char *)data);❗VULN
37 void * dest = (void *)calloc(dataLen+1, sizeof(wchar_t));
38 if (dest == NULL) {exit(-1);}
39 (void)wcscpy((wchar_t *)dest, (wchar_t *)data);❗VULN
40 printLine((char *)dest);
41 free(dest);
42 }
43}
44
45#endif /* OMITBAD */
46
47#ifndef OMITGOOD
48
49/* goodG2B uses the GoodSource with the BadSink */
50void goodG2BSink(map<int, void *> dataMap)
51{
52 void * data = dataMap[2];
53 {
54 /* POTENTIAL FLAW: treating pointer as a char* when it may point to a wide string */
55 size_t dataLen = strlen((char *)data);
56 void * dest = (void *)calloc(dataLen+1, 1);
57 if (dest == NULL) {exit(-1);}
58 (void)strcpy((char *)dest, (char *)data);
59 printLine((char *)dest);
60 free(dest);
61 }
62}
63
64/* goodB2G uses the BadSource with the GoodSink */
65void goodB2GSink(map<int, void *> dataMap)
66{
67 void * data = dataMap[2];
68 {
69 /* FIX: treating pointer like a wchar_t* */
70 size_t dataLen = wcslen((wchar_t *)data);
71 void * dest = (void *)calloc(dataLen+1, sizeof(wchar_t));
72 if (dest == NULL) {exit(-1);}
73 (void)wcscpy((wchar_t *)dest, (wchar_t *)data);
74 printWLine((wchar_t *)dest);
75 free(dest);
76 }
77}
78
79#endif /* OMITGOOD */
80
81} /* close namespace */

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5261: CWE121_Stack_Based_Buffer_Overflow__CWE129_rand_06.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE129_rand_06.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE129.label.xml
4Template File: sources-sinks-06.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: rand Set data to result of rand(), which may be zero
10 * GoodSource: Larger than zero but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the upper bound
14 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)
15 *
16 * */
17
18#include "std_testcase.h"
19
20/* The variable below is declared "const", so a tool should be able
21 to identify that reads of this will always give its initialized
22 value. */
23static const int STATIC_CONST_FIVE = 5;
24
25#ifndef OMITBAD
26
27void CWE121_Stack_Based_Buffer_Overflow__CWE129_rand_06_bad()
28{
29 int data;
30 /* Initialize data */
31 data = -1;
32 if(STATIC_CONST_FIVE==5)
33 {
34 /* POTENTIAL FLAW: Set data to a random value */
35 data = RAND32();
36 }
37 if(STATIC_CONST_FIVE==5)
38 {
39 {
40 int i;
41 int buffer[10] = { 0 };
42 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
43 * This code does check to see if the array index is negative */
44 if (data >= 0)
45 {
46 buffer[data] = 1;❗VULN
47 /* Print the array values */
48 for(i = 0; i < 10; i++)
49 {
50 printIntLine(buffer[i]);
51 }
52 }
53 else
54 {
55 printLine("ERROR: Array index is negative.");
56 }
57 }
58 }
59}
60
61#endif /* OMITBAD */
62
63#ifndef OMITGOOD
64
65/* goodB2G1() - use badsource and goodsink by changing the second STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */
66static void goodB2G1()
67{
68 int data;
69 /* Initialize data */
70 data = -1;
71 if(STATIC_CONST_FIVE==5)
72 {
73 /* POTENTIAL FLAW: Set data to a random value */
74 data = RAND32();
75 }
76 if(STATIC_CONST_FIVE!=5)
77 {
78 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
79 printLine("Benign, fixed string");
80 }
81 else
82 {
83 {
84 int i;
85 int buffer[10] = { 0 };
86 /* FIX: Properly validate the array index and prevent a buffer overflow */
87 if (data >= 0 && data < (10))
88 {
89 buffer[data] = 1;
90 /* Print the array values */
91 for(i = 0; i < 10; i++)
92 {
93 printIntLine(buffer[i]);
94 }
95 }
96 else
97 {
98 printLine("ERROR: Array index is out-of-bounds");
99 }
100 }
101 }
102}
103
104/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */
105static void goodB2G2()
106{
107 int data;
108 /* Initialize data */
109 data = -1;
110 if(STATIC_CONST_FIVE==5)
111 {
112 /* POTENTIAL FLAW: Set data to a random value */
113 data = RAND32();
114 }
115 if(STATIC_CONST_FIVE==5)
116 {
117 {
118 int i;
119 int buffer[10] = { 0 };
120 /* FIX: Properly validate the array index and prevent a buffer overflow */
121 if (data >= 0 && data < (10))
122 {
123 buffer[data] = 1;
124 /* Print the array values */
125 for(i = 0; i < 10; i++)
126 {
127 printIntLine(buffer[i]);
128 }
129 }
130 else
131 {
132 printLine("ERROR: Array index is out-of-bounds");
133 }
134 }
135 }
136}
137
138/* goodG2B1() - use goodsource and badsink by changing the first STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */
139static void goodG2B1()
140{
141 int data;
142 /* Initialize data */
143 data = -1;
144 if(STATIC_CONST_FIVE!=5)
145 {
146 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
147 printLine("Benign, fixed string");
148 }
149 else
150 {
151 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
152 * access an index of the array in the sink that is out-of-bounds */
153 data = 7;
154 }
155 if(STATIC_CONST_FIVE==5)
156 {
157 {
158 int i;
159 int buffer[10] = { 0 };
160 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
161 * This code does check to see if the array index is negative */
162 if (data >= 0)
163 {
164 buffer[data] = 1;
165 /* Print the array values */
166 for(i = 0; i < 10; i++)
167 {
168 printIntLine(buffer[i]);
169 }
170 }
171 else
172 {
173 printLine("ERROR: Array index is negative.");
174 }
175 }
176 }
177}
178
179/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */
180static void goodG2B2()
181{
182 int data;
183 /* Initialize data */
184 data = -1;
185 if(STATIC_CONST_FIVE==5)
186 {
187 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
188 * access an index of the array in the sink that is out-of-bounds */
189 data = 7;
190 }
191 if(STATIC_CONST_FIVE==5)
192 {
193 {
194 int i;
195 int buffer[10] = { 0 };
196 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
197 * This code does check to see if the array index is negative */
198 if (data >= 0)
199 {
200 buffer[data] = 1;
201 /* Print the array values */
202 for(i = 0; i < 10; i++)
203 {
204 printIntLine(buffer[i]);
205 }
206 }
207 else
208 {
209 printLine("ERROR: Array index is negative.");
210 }
211 }
212 }
213}
214
215void CWE121_Stack_Based_Buffer_Overflow__CWE129_rand_06_good()
216{
217 goodB2G1();
218 goodB2G2();
219 goodG2B1();
220 goodG2B2();
221}
222
223#endif /* OMITGOOD */
224
225/* Below is the main(). It is only used when building this testcase on
226 its own for testing or for building a binary to use in testing binary
227 analysis tools. It is not used when compiling all the testcases as one
228 application, which is how source code analysis tools are tested. */
229
230#ifdef INCLUDEMAIN
231
232int main(int argc, char * argv[])
233{
234 /* seed randomness */
235 srand( (unsigned)time(NULL) );
236#ifndef OMITGOOD
237 printLine("Calling good()...");
238 CWE121_Stack_Based_Buffer_Overflow__CWE129_rand_06_good();
239 printLine("Finished good()");
240#endif /* OMITGOOD */
241#ifndef OMITBAD
242 printLine("Calling bad()...");
243 CWE121_Stack_Based_Buffer_Overflow__CWE129_rand_06_bad();
244 printLine("Finished bad()");
245#endif /* OMITBAD */
246 return 0;
247}
248
249#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6773: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_03.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_03.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-03.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: memmove
12 * BadSink : Copy string to data using memmove
13 * Flow Variant: 03 Control flow: if(5==5) and if(5!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_03_bad()
24{
25 char * data;
26 char dataBadBuffer[50];
27 char dataGoodBuffer[100];
28 if(5==5)
29 {
30 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
31 * buffer in various memory copying functions using a "large" source buffer. */
32 data = dataBadBuffer;
33 data[0] = '\0'; /* null terminate */
34 }
35 {
36 char source[100];
37 memset(source, 'C', 100-1); /* fill with 'C's */
38 source[100-1] = '\0'; /* null terminate */
39 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
40 memmove(data, source, 100*sizeof(char));❗VULN
41 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
42 printLine(data);
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50/* goodG2B1() - use goodsource and badsink by changing the 5==5 to 5!=5 */
51static void goodG2B1()
52{
53 char * data;
54 char dataBadBuffer[50];
55 char dataGoodBuffer[100];
56 if(5!=5)
57 {
58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
59 printLine("Benign, fixed string");
60 }
61 else
62 {
63 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
64 data = dataGoodBuffer;
65 data[0] = '\0'; /* null terminate */
66 }
67 {
68 char source[100];
69 memset(source, 'C', 100-1); /* fill with 'C's */
70 source[100-1] = '\0'; /* null terminate */
71 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
72 memmove(data, source, 100*sizeof(char));
73 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
74 printLine(data);
75 }
76}
77
78/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
79static void goodG2B2()
80{
81 char * data;
82 char dataBadBuffer[50];
83 char dataGoodBuffer[100];
84 if(5==5)
85 {
86 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
87 data = dataGoodBuffer;
88 data[0] = '\0'; /* null terminate */
89 }
90 {
91 char source[100];
92 memset(source, 'C', 100-1); /* fill with 'C's */
93 source[100-1] = '\0'; /* null terminate */
94 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
95 memmove(data, source, 100*sizeof(char));
96 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
97 printLine(data);
98 }
99}
100
101void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_03_good()
102{
103 goodG2B1();
104 goodG2B2();
105}
106
107#endif /* OMITGOOD */
108
109/* Below is the main(). It is only used when building this testcase on
110 * its own for testing or for building a binary to use in testing binary
111 * analysis tools. It is not used when compiling all the testcases as one
112 * application, which is how source code analysis tools are tested.
113 */
114
115#ifdef INCLUDEMAIN
116
117int main(int argc, char * argv[])
118{
119 /* seed randomness */
120 srand( (unsigned)time(NULL) );
121#ifndef OMITGOOD
122 printLine("Calling good()...");
123 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_03_good();
124 printLine("Finished good()");
125#endif /* OMITGOOD */
126#ifndef OMITBAD
127 printLine("Calling bad()...");
128 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_03_bad();
129 printLine("Finished bad()");
130#endif /* OMITBAD */
131 return 0;
132}
133
134#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8099: CWE124_Buffer_Underwrite__malloc_wchar_t_loop_14.c

Nodes: 19 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__malloc_wchar_t_loop_14.c
3Label Definition File: CWE124_Buffer_Underwrite__malloc.label.xml
4Template File: sources-sink-14.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy string to data using a loop
13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE124_Buffer_Underwrite__malloc_wchar_t_loop_14_bad()
24{
25 wchar_t * data;
26 data = NULL;
27 if(globalFive==5)
28 {
29 {
30 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
31 if (dataBuffer == NULL) {exit(-1);}
32 wmemset(dataBuffer, L'A', 100-1);
33 dataBuffer[100-1] = L'\0';
34 /* FLAW: Set data pointer to before the allocated memory buffer */
35 data = dataBuffer - 8;
36 }
37 }
38 {
39 size_t i;
40 wchar_t source[100];
41 wmemset(source, L'C', 100-1); /* fill with 'C's */
42 source[100-1] = L'\0'; /* null terminate */
43 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
44 for (i = 0; i < 100; i++)
45 {
46 data[i] = source[i];❗VULN
47 }
48 /* Ensure the destination buffer is null terminated */
49 data[100-1] = L'\0';
50 printWLine(data);
51 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
52 * returned by malloc() so can't safely call free() on it */
53 }
54}
55
56#endif /* OMITBAD */
57
58#ifndef OMITGOOD
59
60/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */
61static void goodG2B1()
62{
63 wchar_t * data;
64 data = NULL;
65 if(globalFive!=5)
66 {
67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
68 printLine("Benign, fixed string");
69 }
70 else
71 {
72 {
73 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
74 if (dataBuffer == NULL) {exit(-1);}
75 wmemset(dataBuffer, L'A', 100-1);
76 dataBuffer[100-1] = L'\0';
77 /* FIX: Set data pointer to the allocated memory buffer */
78 data = dataBuffer;
79 }
80 }
81 {
82 size_t i;
83 wchar_t source[100];
84 wmemset(source, L'C', 100-1); /* fill with 'C's */
85 source[100-1] = L'\0'; /* null terminate */
86 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
87 for (i = 0; i < 100; i++)
88 {
89 data[i] = source[i];
90 }
91 /* Ensure the destination buffer is null terminated */
92 data[100-1] = L'\0';
93 printWLine(data);
94 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
95 * returned by malloc() so can't safely call free() on it */
96 }
97}
98
99/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
100static void goodG2B2()
101{
102 wchar_t * data;
103 data = NULL;
104 if(globalFive==5)
105 {
106 {
107 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
108 if (dataBuffer == NULL) {exit(-1);}
109 wmemset(dataBuffer, L'A', 100-1);
110 dataBuffer[100-1] = L'\0';
111 /* FIX: Set data pointer to the allocated memory buffer */
112 data = dataBuffer;
113 }
114 }
115 {
116 size_t i;
117 wchar_t source[100];
118 wmemset(source, L'C', 100-1); /* fill with 'C's */
119 source[100-1] = L'\0'; /* null terminate */
120 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
121 for (i = 0; i < 100; i++)
122 {
123 data[i] = source[i];
124 }
125 /* Ensure the destination buffer is null terminated */
126 data[100-1] = L'\0';
127 printWLine(data);
128 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
129 * returned by malloc() so can't safely call free() on it */
130 }
131}
132
133void CWE124_Buffer_Underwrite__malloc_wchar_t_loop_14_good()
134{
135 goodG2B1();
136 goodG2B2();
137}
138
139#endif /* OMITGOOD */
140
141/* Below is the main(). It is only used when building this testcase on
142 * its own for testing or for building a binary to use in testing binary
143 * analysis tools. It is not used when compiling all the testcases as one
144 * application, which is how source code analysis tools are tested.
145 */
146
147#ifdef INCLUDEMAIN
148
149int main(int argc, char * argv[])
150{
151 /* seed randomness */
152 srand( (unsigned)time(NULL) );
153#ifndef OMITGOOD
154 printLine("Calling good()...");
155 CWE124_Buffer_Underwrite__malloc_wchar_t_loop_14_good();
156 printLine("Finished good()");
157#endif /* OMITGOOD */
158#ifndef OMITBAD
159 printLine("Calling bad()...");
160 CWE124_Buffer_Underwrite__malloc_wchar_t_loop_14_bad();
161 printLine("Finished bad()");
162#endif /* OMITBAD */
163 return 0;
164}
165
166#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6934: CWE127_Buffer_Underread__char_declare_loop_32.c

Nodes: 20 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__char_declare_loop_32.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-32.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__char_declare_loop_32_bad()
24{
25 char * data;
26 char * *dataPtr1 = &data;
27 char * *dataPtr2 = &data;
28 char dataBuffer[100];
29 memset(dataBuffer, 'A', 100-1);
30 dataBuffer[100-1] = '\0';
31 {
32 char * data = *dataPtr1;
33 /* FLAW: Set data pointer to before the allocated memory buffer */
34 data = dataBuffer - 8;
35 *dataPtr1 = data;
36 }
37 {
38 char * data = *dataPtr2;
39 {
40 size_t i;
41 char dest[100];
42 memset(dest, 'C', 100-1); /* fill with 'C's */
43 dest[100-1] = '\0'; /* null terminate */
44 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
45 for (i = 0; i < 100; i++)
46 {
47 dest[i] = data[i];❗VULN
48 }
49 /* Ensure null termination */
50 dest[100-1] = '\0';
51 printLine(dest);
52 }
53 }
54}
55
56#endif /* OMITBAD */
57
58#ifndef OMITGOOD
59
60/* goodG2B() uses the GoodSource with the BadSink */
61static void goodG2B()
62{
63 char * data;
64 char * *dataPtr1 = &data;
65 char * *dataPtr2 = &data;
66 char dataBuffer[100];
67 memset(dataBuffer, 'A', 100-1);
68 dataBuffer[100-1] = '\0';
69 {
70 char * data = *dataPtr1;
71 /* FIX: Set data pointer to the allocated memory buffer */
72 data = dataBuffer;
73 *dataPtr1 = data;
74 }
75 {
76 char * data = *dataPtr2;
77 {
78 size_t i;
79 char dest[100];
80 memset(dest, 'C', 100-1); /* fill with 'C's */
81 dest[100-1] = '\0'; /* null terminate */
82 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
83 for (i = 0; i < 100; i++)
84 {
85 dest[i] = data[i];
86 }
87 /* Ensure null termination */
88 dest[100-1] = '\0';
89 printLine(dest);
90 }
91 }
92}
93
94void CWE127_Buffer_Underread__char_declare_loop_32_good()
95{
96 goodG2B();
97}
98
99#endif /* OMITGOOD */
100
101/* Below is the main(). It is only used when building this testcase on
102 * its own for testing or for building a binary to use in testing binary
103 * analysis tools. It is not used when compiling all the testcases as one
104 * application, which is how source code analysis tools are tested.
105 */
106#ifdef INCLUDEMAIN
107
108int main(int argc, char * argv[])
109{
110 /* seed randomness */
111 srand( (unsigned)time(NULL) );
112#ifndef OMITGOOD
113 printLine("Calling good()...");
114 CWE127_Buffer_Underread__char_declare_loop_32_good();
115 printLine("Finished good()");
116#endif /* OMITGOOD */
117#ifndef OMITBAD
118 printLine("Calling bad()...");
119 CWE127_Buffer_Underread__char_declare_loop_32_bad();
120 printLine("Finished bad()");
121#endif /* OMITBAD */
122 return 0;
123}
124
125#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 188: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45.c

Nodes: 7 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-45.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sinks: memmove
12 * BadSink : Copy string to data using memmove
13 * Flow Variant: 45 Data flow: data passed as a static global variable from one function to another in the same source file
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21static wchar_t * CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_badData;
22static wchar_t * CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_goodG2BData;
23
24#ifndef OMITBAD
25
26static void badSink()
27{
28 wchar_t * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_badData;
29 {
30 wchar_t source[100];
31 wmemset(source, L'C', 100-1); /* fill with L'C's */
32 source[100-1] = L'\0'; /* null terminate */
33 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
34 memmove(data, source, 100*sizeof(wchar_t));❗VULN
35 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
36 printWLine(data);
37 }
38}
39
40void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_bad()
41{
42 wchar_t * data;
43 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
44 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
45 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
46 * buffer in various memory copying functions using a "large" source buffer. */
47 data = dataBadBuffer;
48 data[0] = L'\0'; /* null terminate */
49 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_badData = data;
50 badSink();
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B() uses the GoodSource with the BadSink */
58static void goodG2BSink()
59{
60 wchar_t * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_goodG2BData;
61 {
62 wchar_t source[100];
63 wmemset(source, L'C', 100-1); /* fill with L'C's */
64 source[100-1] = L'\0'; /* null terminate */
65 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
66 memmove(data, source, 100*sizeof(wchar_t));
67 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
68 printWLine(data);
69 }
70}
71
72static void goodG2B()
73{
74 wchar_t * data;
75 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
76 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
77 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
78 data = dataGoodBuffer;
79 data[0] = L'\0'; /* null terminate */
80 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_goodG2BData = data;
81 goodG2BSink();
82}
83
84void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_good()
85{
86 goodG2B();
87}
88
89#endif /* OMITGOOD */
90
91/* Below is the main(). It is only used when building this testcase on
92 * its own for testing or for building a binary to use in testing binary
93 * analysis tools. It is not used when compiling all the testcases as one
94 * application, which is how source code analysis tools are tested.
95 */
96#ifdef INCLUDEMAIN
97
98int main(int argc, char * argv[])
99{
100 /* seed randomness */
101 srand( (unsigned)time(NULL) );
102#ifndef OMITGOOD
103 printLine("Calling good()...");
104 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_good();
105 printLine("Finished good()");
106#endif /* OMITGOOD */
107#ifndef OMITBAD
108 printLine("Calling bad()...");
109 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_memmove_45_bad();
110 printLine("Finished bad()");
111#endif /* OMITBAD */
112 return 0;
113}
114
115#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6465: CWE127_Buffer_Underread__malloc_char_cpy_33.cpp

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_char_cpy_33.cpp
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-33.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sinks: cpy
12 * BadSink : Copy data to string using strcpy
13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE127_Buffer_Underread__malloc_char_cpy_33
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 char * data;
29 char * &dataRef = data;
30 data = NULL;
31 {
32 char * dataBuffer = (char *)malloc(100*sizeof(char));
33 if (dataBuffer == NULL) {exit(-1);}
34 memset(dataBuffer, 'A', 100-1);
35 dataBuffer[100-1] = '\0';
36 /* FLAW: Set data pointer to before the allocated memory buffer */
37 data = dataBuffer - 8;
38 }
39 {
40 char * data = dataRef;
41 {
42 char dest[100*2];
43 memset(dest, 'C', 100*2-1); /* fill with 'C's */
44 dest[100*2-1] = '\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
46 strcpy(dest, data);❗VULN
47 printLine(dest);
48 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
49 * returned by malloc() so can't safely call free() on it */
50 }
51 }
52}
53
54#endif /* OMITBAD */
55
56#ifndef OMITGOOD
57
58/* goodG2B() uses the GoodSource with the BadSink */
59static void goodG2B()
60{
61 char * data;
62 char * &dataRef = data;
63 data = NULL;
64 {
65 char * dataBuffer = (char *)malloc(100*sizeof(char));
66 if (dataBuffer == NULL) {exit(-1);}
67 memset(dataBuffer, 'A', 100-1);
68 dataBuffer[100-1] = '\0';
69 /* FIX: Set data pointer to the allocated memory buffer */
70 data = dataBuffer;
71 }
72 {
73 char * data = dataRef;
74 {
75 char dest[100*2];
76 memset(dest, 'C', 100*2-1); /* fill with 'C's */
77 dest[100*2-1] = '\0'; /* null terminate */
78 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
79 strcpy(dest, data);
80 printLine(dest);
81 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
82 * returned by malloc() so can't safely call free() on it */
83 }
84 }
85}
86
87void good()
88{
89 goodG2B();
90}
91
92#endif /* OMITGOOD */
93
94} /* close namespace */
95
96/* Below is the main(). It is only used when building this testcase on
97 * its own for testing or for building a binary to use in testing binary
98 * analysis tools. It is not used when compiling all the testcases as one
99 * application, which is how source code analysis tools are tested.
100 */
101#ifdef INCLUDEMAIN
102
103using namespace CWE127_Buffer_Underread__malloc_char_cpy_33; /* so that we can use good and bad easily */
104
105int main(int argc, char * argv[])
106{
107 /* seed randomness */
108 srand( (unsigned)time(NULL) );
109#ifndef OMITGOOD
110 printLine("Calling good()...");
111 good();
112 printLine("Finished good()");
113#endif /* OMITGOOD */
114#ifndef OMITBAD
115 printLine("Calling bad()...");
116 bad();
117 printLine("Finished bad()");
118#endif /* OMITBAD */
119 return 0;
120}
121
122#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 607: CWE127_Buffer_Underread__CWE839_fgets_12.c

Nodes: 17 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__CWE839_fgets_12.c
3Label Definition File: CWE127_Buffer_Underread__CWE839.label.xml
4Template File: sources-sinks-12.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Underread
9 * BadSource: fgets Read data from the console using fgets()
10 * GoodSource: Non-negative but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking to see if the value is negative
14 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())
15 *
16 * */
17
18#include "std_testcase.h"
19
20#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)
21
22#ifndef OMITBAD
23
24void CWE127_Buffer_Underread__CWE839_fgets_12_bad()
25{
26 int data;
27 /* Initialize data */
28 data = -1;
29 if(globalReturnsTrueOrFalse())
30 {
31 {
32 char inputBuffer[CHAR_ARRAY_SIZE] = "";
33 /* POTENTIAL FLAW: Read data from the console using fgets() */
34 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)
35 {
36 /* Convert to int */
37 data = atoi(inputBuffer);
38 }
39 else
40 {
41 printLine("fgets() failed.");
42 }
43 }
44 }
45 else
46 {
47 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
48 * access an index of the array in the sink that is out-of-bounds */
49 data = 7;
50 }
51 if(globalReturnsTrueOrFalse())
52 {
53 {
54 int buffer[10] = { 0 };
55 /* POTENTIAL FLAW: Attempt to access a negative index of the array
56 * This check does not check to see if the array index is negative */
57 if (data < 10)
58 {
59 printIntLine(buffer[data]);❗VULN
60 }
61 else
62 {
63 printLine("ERROR: Array index is too big.");
64 }
65 }
66 }
67 else
68 {
69 {
70 int buffer[10] = { 0 };
71 /* FIX: Properly validate the array index and prevent a buffer underread */
72 if (data >= 0 && data < (10))
73 {
74 printIntLine(buffer[data]);
75 }
76 else
77 {
78 printLine("ERROR: Array index is out-of-bounds");
79 }
80 }
81 }
82}
83
84#endif /* OMITBAD */
85
86#ifndef OMITGOOD
87
88/* goodB2G() - use badsource and goodsink by changing the first "if" so that
89 both branches use the BadSource and the second "if" so that both branches
90 use the GoodSink */
91static void goodB2G()
92{
93 int data;
94 /* Initialize data */
95 data = -1;
96 if(globalReturnsTrueOrFalse())
97 {
98 {
99 char inputBuffer[CHAR_ARRAY_SIZE] = "";
100 /* POTENTIAL FLAW: Read data from the console using fgets() */
101 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)
102 {
103 /* Convert to int */
104 data = atoi(inputBuffer);
105 }
106 else
107 {
108 printLine("fgets() failed.");
109 }
110 }
111 }
112 else
113 {
114 {
115 char inputBuffer[CHAR_ARRAY_SIZE] = "";
116 /* POTENTIAL FLAW: Read data from the console using fgets() */
117 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)
118 {
119 /* Convert to int */
120 data = atoi(inputBuffer);
121 }
122 else
123 {
124 printLine("fgets() failed.");
125 }
126 }
127 }
128 if(globalReturnsTrueOrFalse())
129 {
130 {
131 int buffer[10] = { 0 };
132 /* FIX: Properly validate the array index and prevent a buffer underread */
133 if (data >= 0 && data < (10))
134 {
135 printIntLine(buffer[data]);
136 }
137 else
138 {
139 printLine("ERROR: Array index is out-of-bounds");
140 }
141 }
142 }
143 else
144 {
145 {
146 int buffer[10] = { 0 };
147 /* FIX: Properly validate the array index and prevent a buffer underread */
148 if (data >= 0 && data < (10))
149 {
150 printIntLine(buffer[data]);
151 }
152 else
153 {
154 printLine("ERROR: Array index is out-of-bounds");
155 }
156 }
157 }
158}
159
160/* goodG2B() - use goodsource and badsink by changing the first "if" so that
161 both branches use the GoodSource and the second "if" so that both branches
162 use the BadSink */
163static void goodG2B()
164{
165 int data;
166 /* Initialize data */
167 data = -1;
168 if(globalReturnsTrueOrFalse())
169 {
170 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
171 * access an index of the array in the sink that is out-of-bounds */
172 data = 7;
173 }
174 else
175 {
176 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
177 * access an index of the array in the sink that is out-of-bounds */
178 data = 7;
179 }
180 if(globalReturnsTrueOrFalse())
181 {
182 {
183 int buffer[10] = { 0 };
184 /* POTENTIAL FLAW: Attempt to access a negative index of the array
185 * This check does not check to see if the array index is negative */
186 if (data < 10)
187 {
188 printIntLine(buffer[data]);
189 }
190 else
191 {
192 printLine("ERROR: Array index is too big.");
193 }
194 }
195 }
196 else
197 {
198 {
199 int buffer[10] = { 0 };
200 /* POTENTIAL FLAW: Attempt to access a negative index of the array
201 * This check does not check to see if the array index is negative */
202 if (data < 10)
203 {
204 printIntLine(buffer[data]);
205 }
206 else
207 {
208 printLine("ERROR: Array index is too big.");
209 }
210 }
211 }
212}
213
214void CWE127_Buffer_Underread__CWE839_fgets_12_good()
215{
216 goodB2G();
217 goodG2B();
218}
219
220#endif /* OMITGOOD */
221
222/* Below is the main(). It is only used when building this testcase on
223 its own for testing or for building a binary to use in testing binary
224 analysis tools. It is not used when compiling all the testcases as one
225 application, which is how source code analysis tools are tested. */
226
227#ifdef INCLUDEMAIN
228
229int main(int argc, char * argv[])
230{
231 /* seed randomness */
232 srand( (unsigned)time(NULL) );
233#ifndef OMITGOOD
234 printLine("Calling good()...");
235 CWE127_Buffer_Underread__CWE839_fgets_12_good();
236 printLine("Finished good()");
237#endif /* OMITGOOD */
238#ifndef OMITBAD
239 printLine("Calling bad()...");
240 CWE127_Buffer_Underread__CWE839_fgets_12_bad();
241 printLine("Finished bad()");
242#endif /* OMITBAD */
243 return 0;
244}
245
246#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5932: CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE129.label.xml
4Template File: sources-sinks-45.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: large Large index value that is greater than 10-1
10 * GoodSource: Larger than zero but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the upper bound
14 * Flow Variant: 45 Data flow: data passed as a static global variable from one function to another in the same source file
15 *
16 * */
17
18#include "std_testcase.h"
19
20static int CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_badData;
21static int CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_goodG2BData;
22static int CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_goodB2GData;
23
24#ifndef OMITBAD
25
26static void badSink()
27{
28 int data = CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_badData;
29 {
30 int i;
31 int buffer[10] = { 0 };
32 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
33 * This code does check to see if the array index is negative */
34 if (data >= 0)
35 {
36 buffer[data] = 1;❗VULN
37 /* Print the array values */
38 for(i = 0; i < 10; i++)
39 {
40 printIntLine(buffer[i]);
41 }
42 }
43 else
44 {
45 printLine("ERROR: Array index is negative.");
46 }
47 }
48}
49
50void CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_bad()
51{
52 int data;
53 /* Initialize data */
54 data = -1;
55 /* POTENTIAL FLAW: Use an invalid index */
56 data = 10;
57 CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_badData = data;
58 badSink();
59}
60
61#endif /* OMITBAD */
62
63#ifndef OMITGOOD
64
65/* goodG2B() uses the GoodSource with the BadSink */
66static void goodG2BSink()
67{
68 int data = CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_goodG2BData;
69 {
70 int i;
71 int buffer[10] = { 0 };
72 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
73 * This code does check to see if the array index is negative */
74 if (data >= 0)
75 {
76 buffer[data] = 1;
77 /* Print the array values */
78 for(i = 0; i < 10; i++)
79 {
80 printIntLine(buffer[i]);
81 }
82 }
83 else
84 {
85 printLine("ERROR: Array index is negative.");
86 }
87 }
88}
89
90static void goodG2B()
91{
92 int data;
93 /* Initialize data */
94 data = -1;
95 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
96 * access an index of the array in the sink that is out-of-bounds */
97 data = 7;
98 CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_goodG2BData = data;
99 goodG2BSink();
100}
101
102/* goodB2G() uses the BadSource with the GoodSink */
103static void goodB2GSink()
104{
105 int data = CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_goodB2GData;
106 {
107 int i;
108 int buffer[10] = { 0 };
109 /* FIX: Properly validate the array index and prevent a buffer overflow */
110 if (data >= 0 && data < (10))
111 {
112 buffer[data] = 1;
113 /* Print the array values */
114 for(i = 0; i < 10; i++)
115 {
116 printIntLine(buffer[i]);
117 }
118 }
119 else
120 {
121 printLine("ERROR: Array index is out-of-bounds");
122 }
123 }
124}
125
126static void goodB2G()
127{
128 int data;
129 /* Initialize data */
130 data = -1;
131 /* POTENTIAL FLAW: Use an invalid index */
132 data = 10;
133 CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_goodB2GData = data;
134 goodB2GSink();
135}
136
137void CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_good()
138{
139 goodG2B();
140 goodB2G();
141}
142
143#endif /* OMITGOOD */
144
145/* Below is the main(). It is only used when building this testcase on
146 its own for testing or for building a binary to use in testing binary
147 analysis tools. It is not used when compiling all the testcases as one
148 application, which is how source code analysis tools are tested. */
149#ifdef INCLUDEMAIN
150
151int main(int argc, char * argv[])
152{
153 /* seed randomness */
154 srand( (unsigned)time(NULL) );
155#ifndef OMITGOOD
156 printLine("Calling good()...");
157 CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_good();
158 printLine("Finished good()");
159#endif /* OMITGOOD */
160#ifndef OMITBAD
161 printLine("Calling bad()...");
162 CWE121_Stack_Based_Buffer_Overflow__CWE129_large_45_bad();
163 printLine("Finished bad()");
164#endif /* OMITBAD */
165 return 0;
166}
167
168#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1895: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memmove_16.cpp

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memmove_16.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.label.xml
4Template File: sources-sink-16.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: memmove
12 * BadSink : Copy int64_t array to data using memmove
13 * Flow Variant: 16 Control flow: while(1)
14 *
15 * */
16
17#include "std_testcase.h"
18
19namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memmove_16
20{
21
22#ifndef OMITBAD
23
24void bad()
25{
26 int64_t * data;
27 data = NULL;
28 while(1)
29 {
30 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
31 data = new int64_t[50];
32 break;
33 }
34 {
35 int64_t source[100] = {0}; /* fill with 0's */
36 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
37 memmove(data, source, 100*sizeof(int64_t));❗VULN
38 printLongLongLine(data[0]);
39 delete [] data;
40 }
41}
42
43#endif /* OMITBAD */
44
45#ifndef OMITGOOD
46
47/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */
48static void goodG2B()
49{
50 int64_t * data;
51 data = NULL;
52 while(1)
53 {
54 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
55 data = new int64_t[100];
56 break;
57 }
58 {
59 int64_t source[100] = {0}; /* fill with 0's */
60 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
61 memmove(data, source, 100*sizeof(int64_t));
62 printLongLongLine(data[0]);
63 delete [] data;
64 }
65}
66
67void good()
68{
69 goodG2B();
70}
71
72#endif /* OMITGOOD */
73
74} /* close namespace */
75
76/* Below is the main(). It is only used when building this testcase on
77 its own for testing or for building a binary to use in testing binary
78 analysis tools. It is not used when compiling all the testcases as one
79 application, which is how source code analysis tools are tested. */
80
81#ifdef INCLUDEMAIN
82
83using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_int64_t_memmove_16; /* so that we can use good and bad easily */
84
85int main(int argc, char * argv[])
86{
87 /* seed randomness */
88 srand( (unsigned)time(NULL) );
89#ifndef OMITGOOD
90 printLine("Calling good()...");
91 good();
92 printLine("Finished good()");
93#endif /* OMITGOOD */
94#ifndef OMITBAD
95 printLine("Calling bad()...");
96 bad();
97 printLine("Finished bad()");
98#endif /* OMITBAD */
99 return 0;
100}
101
102#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8989: CWE127_Buffer_Underread__wchar_t_declare_memmove_17.c

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__wchar_t_declare_memmove_17.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-17.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 17 Control flow: for loops
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__wchar_t_declare_memmove_17_bad()
24{
25 int i;
26 wchar_t * data;
27 wchar_t dataBuffer[100];
28 wmemset(dataBuffer, L'A', 100-1);
29 dataBuffer[100-1] = L'\0';
30 for(i = 0; i < 1; i++)
31 {
32 /* FLAW: Set data pointer to before the allocated memory buffer */
33 data = dataBuffer - 8;
34 }
35 {
36 wchar_t dest[100];
37 wmemset(dest, L'C', 100-1); /* fill with 'C's */
38 dest[100-1] = L'\0'; /* null terminate */
39 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
40 memmove(dest, data, 100*sizeof(wchar_t));❗VULN
41 /* Ensure null termination */
42 dest[100-1] = L'\0';
43 printWLine(dest);
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */
52static void goodG2B()
53{
54 int h;
55 wchar_t * data;
56 wchar_t dataBuffer[100];
57 wmemset(dataBuffer, L'A', 100-1);
58 dataBuffer[100-1] = L'\0';
59 for(h = 0; h < 1; h++)
60 {
61 /* FIX: Set data pointer to the allocated memory buffer */
62 data = dataBuffer;
63 }
64 {
65 wchar_t dest[100];
66 wmemset(dest, L'C', 100-1); /* fill with 'C's */
67 dest[100-1] = L'\0'; /* null terminate */
68 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
69 memmove(dest, data, 100*sizeof(wchar_t));
70 /* Ensure null termination */
71 dest[100-1] = L'\0';
72 printWLine(dest);
73 }
74}
75
76void CWE127_Buffer_Underread__wchar_t_declare_memmove_17_good()
77{
78 goodG2B();
79}
80
81#endif /* OMITGOOD */
82
83/* Below is the main(). It is only used when building this testcase on
84 * its own for testing or for building a binary to use in testing binary
85 * analysis tools. It is not used when compiling all the testcases as one
86 * application, which is how source code analysis tools are tested.
87 */
88
89#ifdef INCLUDEMAIN
90
91int main(int argc, char * argv[])
92{
93 /* seed randomness */
94 srand( (unsigned)time(NULL) );
95#ifndef OMITGOOD
96 printLine("Calling good()...");
97 CWE127_Buffer_Underread__wchar_t_declare_memmove_17_good();
98 printLine("Finished good()");
99#endif /* OMITGOOD */
100#ifndef OMITBAD
101 printLine("Calling bad()...");
102 CWE127_Buffer_Underread__wchar_t_declare_memmove_17_bad();
103 printLine("Finished bad()");
104#endif /* OMITBAD */
105 return 0;
106}
107
108#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9328: CWE126_Buffer_Overread__new_char_memmove_05.cpp

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__new_char_memmove_05.cpp
3Label Definition File: CWE126_Buffer_Overread__new.label.xml
4Template File: sources-sink-05.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Use a small buffer
10 * GoodSource: Use a large buffer
11 * Sink: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are not defined as "const", but are never
22 assigned any other value, so a tool should be able to identify that
23 reads of these will always return their initialized values. */
24static int staticTrue = 1; /* true */
25static int staticFalse = 0; /* false */
26
27namespace CWE126_Buffer_Overread__new_char_memmove_05
28{
29
30#ifndef OMITBAD
31
32void bad()
33{
34 char * data;
35 data = NULL;
36 if(staticTrue)
37 {
38 /* FLAW: Use a small buffer */
39 data = new char[50];
40 memset(data, 'A', 50-1); /* fill with 'A's */
41 data[50-1] = '\0'; /* null terminate */
42 }
43 {
44 char dest[100];
45 memset(dest, 'C', 100-1);
46 dest[100-1] = '\0'; /* null terminate */
47 /* POTENTIAL FLAW: using memmove with the length of the dest where data
48 * could be smaller than dest causing buffer overread */
49 memmove(dest, data, strlen(dest)*sizeof(char));❗VULN
50 dest[100-1] = '\0';
51 printLine(dest);
52 delete [] data;
53 }
54}
55
56#endif /* OMITBAD */
57
58#ifndef OMITGOOD
59
60/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */
61static void goodG2B1()
62{
63 char * data;
64 data = NULL;
65 if(staticFalse)
66 {
67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
68 printLine("Benign, fixed string");
69 }
70 else
71 {
72 /* FIX: Use a large buffer */
73 data = new char[100];
74 memset(data, 'A', 100-1); /* fill with 'A's */
75 data[100-1] = '\0'; /* null terminate */
76 }
77 {
78 char dest[100];
79 memset(dest, 'C', 100-1);
80 dest[100-1] = '\0'; /* null terminate */
81 /* POTENTIAL FLAW: using memmove with the length of the dest where data
82 * could be smaller than dest causing buffer overread */
83 memmove(dest, data, strlen(dest)*sizeof(char));
84 dest[100-1] = '\0';
85 printLine(dest);
86 delete [] data;
87 }
88}
89
90/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
91static void goodG2B2()
92{
93 char * data;
94 data = NULL;
95 if(staticTrue)
96 {
97 /* FIX: Use a large buffer */
98 data = new char[100];
99 memset(data, 'A', 100-1); /* fill with 'A's */
100 data[100-1] = '\0'; /* null terminate */
101 }
102 {
103 char dest[100];
104 memset(dest, 'C', 100-1);
105 dest[100-1] = '\0'; /* null terminate */
106 /* POTENTIAL FLAW: using memmove with the length of the dest where data
107 * could be smaller than dest causing buffer overread */
108 memmove(dest, data, strlen(dest)*sizeof(char));
109 dest[100-1] = '\0';
110 printLine(dest);
111 delete [] data;
112 }
113}
114
115void good()
116{
117 goodG2B1();
118 goodG2B2();
119}
120
121#endif /* OMITGOOD */
122
123} /* close namespace */
124
125/* Below is the main(). It is only used when building this testcase on
126 its own for testing or for building a binary to use in testing binary
127 analysis tools. It is not used when compiling all the testcases as one
128 application, which is how source code analysis tools are tested. */
129
130#ifdef INCLUDEMAIN
131
132using namespace CWE126_Buffer_Overread__new_char_memmove_05; /* so that we can use good and bad easily */
133
134int main(int argc, char * argv[])
135{
136 /* seed randomness */
137 srand( (unsigned)time(NULL) );
138#ifndef OMITGOOD
139 printLine("Calling good()...");
140 good();
141 printLine("Finished good()");
142#endif /* OMITGOOD */
143#ifndef OMITBAD
144 printLine("Calling bad()...");
145 bad();
146 printLine("Finished bad()");
147#endif /* OMITBAD */
148 return 0;
149}
150
151#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5963: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memcpy_01.c

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memcpy_01.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4Template File: sources-sink-01.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sink: memcpy
12 * BadSink : Copy int64_t array to data using memcpy
13 * Flow Variant: 01 Baseline
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memcpy_01_bad()
22{
23 int64_t * data;
24 data = NULL;
25 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
26 data = (int64_t *)malloc(50*sizeof(int64_t));
27 if (data == NULL) {exit(-1);}
28 {
29 int64_t source[100] = {0}; /* fill with 0's */
30 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
31 memcpy(data, source, 100*sizeof(int64_t));❗VULN
32 printLongLongLine(data[0]);
33 free(data);
34 }
35}
36
37#endif /* OMITBAD */
38
39#ifndef OMITGOOD
40
41/* goodG2B uses the GoodSource with the BadSink */
42static void goodG2B()
43{
44 int64_t * data;
45 data = NULL;
46 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
47 data = (int64_t *)malloc(100*sizeof(int64_t));
48 if (data == NULL) {exit(-1);}
49 {
50 int64_t source[100] = {0}; /* fill with 0's */
51 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
52 memcpy(data, source, 100*sizeof(int64_t));
53 printLongLongLine(data[0]);
54 free(data);
55 }
56}
57
58void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memcpy_01_good()
59{
60 goodG2B();
61}
62
63#endif /* OMITGOOD */
64
65/* Below is the main(). It is only used when building this testcase on
66 * its own for testing or for building a binary to use in testing binary
67 * analysis tools. It is not used when compiling all the testcases as one
68 * application, which is how source code analysis tools are tested.
69 */
70
71#ifdef INCLUDEMAIN
72
73int main(int argc, char * argv[])
74{
75 /* seed randomness */
76 srand( (unsigned)time(NULL) );
77#ifndef OMITGOOD
78 printLine("Calling good()...");
79 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memcpy_01_good();
80 printLine("Finished good()");
81#endif /* OMITGOOD */
82#ifndef OMITBAD
83 printLine("Calling bad()...");
84 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int64_t_memcpy_01_bad();
85 printLine("Finished bad()");
86#endif /* OMITBAD */
87 return 0;
88}
89
90#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3313: CWE126_Buffer_Overread__malloc_wchar_t_memmove_33.cpp

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__malloc_wchar_t_memmove_33.cpp
3Label Definition File: CWE126_Buffer_Overread__malloc.label.xml
4Template File: sources-sink-33.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Use a small buffer
10 * GoodSource: Use a large buffer
11 * Sinks: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE126_Buffer_Overread__malloc_wchar_t_memmove_33
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 wchar_t * data;
29 wchar_t * &dataRef = data;
30 data = NULL;
31 /* FLAW: Use a small buffer */
32 data = (wchar_t *)malloc(50*sizeof(wchar_t));
33 if (data == NULL) {exit(-1);}
34 wmemset(data, L'A', 50-1); /* fill with 'A's */
35 data[50-1] = L'\0'; /* null terminate */
36 {
37 wchar_t * data = dataRef;
38 {
39 wchar_t dest[100];
40 wmemset(dest, L'C', 100-1);
41 dest[100-1] = L'\0'; /* null terminate */
42 /* POTENTIAL FLAW: using memmove with the length of the dest where data
43 * could be smaller than dest causing buffer overread */
44 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));❗VULN
45 dest[100-1] = L'\0';
46 printWLine(dest);
47 free(data);
48 }
49 }
50}
51
52#endif /* OMITBAD */
53
54#ifndef OMITGOOD
55
56/* goodG2B() uses the GoodSource with the BadSink */
57static void goodG2B()
58{
59 wchar_t * data;
60 wchar_t * &dataRef = data;
61 data = NULL;
62 /* FIX: Use a large buffer */
63 data = (wchar_t *)malloc(100*sizeof(wchar_t));
64 if (data == NULL) {exit(-1);}
65 wmemset(data, L'A', 100-1); /* fill with 'A's */
66 data[100-1] = L'\0'; /* null terminate */
67 {
68 wchar_t * data = dataRef;
69 {
70 wchar_t dest[100];
71 wmemset(dest, L'C', 100-1);
72 dest[100-1] = L'\0'; /* null terminate */
73 /* POTENTIAL FLAW: using memmove with the length of the dest where data
74 * could be smaller than dest causing buffer overread */
75 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));
76 dest[100-1] = L'\0';
77 printWLine(dest);
78 free(data);
79 }
80 }
81}
82
83void good()
84{
85 goodG2B();
86}
87
88#endif /* OMITGOOD */
89
90} /* close namespace */
91
92/* Below is the main(). It is only used when building this testcase on
93 * its own for testing or for building a binary to use in testing binary
94 * analysis tools. It is not used when compiling all the testcases as one
95 * application, which is how source code analysis tools are tested.
96 */
97#ifdef INCLUDEMAIN
98
99using namespace CWE126_Buffer_Overread__malloc_wchar_t_memmove_33; /* so that we can use good and bad easily */
100
101int main(int argc, char * argv[])
102{
103 /* seed randomness */
104 srand( (unsigned)time(NULL) );
105#ifndef OMITGOOD
106 printLine("Calling good()...");
107 good();
108 printLine("Finished good()");
109#endif /* OMITGOOD */
110#ifndef OMITBAD
111 printLine("Calling bad()...");
112 bad();
113 printLine("Finished bad()");
114#endif /* OMITBAD */
115 return 0;
116}
117
118#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3719: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_33.cpp

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_33.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4Template File: sources-sink-33.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sinks: memmove
12 * BadSink : Copy int array to data using memmove
13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19namespace CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_33
20{
21
22#ifndef OMITBAD
23
24void bad()
25{
26 int * data;
27 int * &dataRef = data;
28 data = NULL;
29 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
30 data = (int *)malloc(50*sizeof(int));
31 if (data == NULL) {exit(-1);}
32 {
33 int * data = dataRef;
34 {
35 int source[100] = {0}; /* fill with 0's */
36 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
37 memmove(data, source, 100*sizeof(int));❗VULN
38 printIntLine(data[0]);
39 free(data);
40 }
41 }
42}
43
44#endif /* OMITBAD */
45
46#ifndef OMITGOOD
47
48/* goodG2B() uses the GoodSource with the BadSink */
49static void goodG2B()
50{
51 int * data;
52 int * &dataRef = data;
53 data = NULL;
54 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
55 data = (int *)malloc(100*sizeof(int));
56 if (data == NULL) {exit(-1);}
57 {
58 int * data = dataRef;
59 {
60 int source[100] = {0}; /* fill with 0's */
61 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
62 memmove(data, source, 100*sizeof(int));
63 printIntLine(data[0]);
64 free(data);
65 }
66 }
67}
68
69void good()
70{
71 goodG2B();
72}
73
74#endif /* OMITGOOD */
75
76} /* close namespace */
77
78/* Below is the main(). It is only used when building this testcase on
79 * its own for testing or for building a binary to use in testing binary
80 * analysis tools. It is not used when compiling all the testcases as one
81 * application, which is how source code analysis tools are tested.
82 */
83#ifdef INCLUDEMAIN
84
85using namespace CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_33; /* so that we can use good and bad easily */
86
87int main(int argc, char * argv[])
88{
89 /* seed randomness */
90 srand( (unsigned)time(NULL) );
91#ifndef OMITGOOD
92 printLine("Calling good()...");
93 good();
94 printLine("Finished good()");
95#endif /* OMITGOOD */
96#ifndef OMITBAD
97 printLine("Calling bad()...");
98 bad();
99 printLine("Finished bad()");
100#endif /* OMITBAD */
101 return 0;
102}
103
104#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5315: CWE127_Buffer_Underread__new_char_memmove_05.cpp

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__new_char_memmove_05.cpp
3Label Definition File: CWE127_Buffer_Underread__new.label.xml
4Template File: sources-sink-05.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are not defined as "const", but are never
22 assigned any other value, so a tool should be able to identify that
23 reads of these will always return their initialized values. */
24static int staticTrue = 1; /* true */
25static int staticFalse = 0; /* false */
26
27namespace CWE127_Buffer_Underread__new_char_memmove_05
28{
29
30#ifndef OMITBAD
31
32void bad()
33{
34 char * data;
35 data = NULL;
36 if(staticTrue)
37 {
38 {
39 char * dataBuffer = new char[100];
40 memset(dataBuffer, 'A', 100-1);
41 dataBuffer[100-1] = '\0';
42 /* FLAW: Set data pointer to before the allocated memory buffer */
43 data = dataBuffer - 8;
44 }
45 }
46 {
47 char dest[100];
48 memset(dest, 'C', 100-1); /* fill with 'C's */
49 dest[100-1] = '\0'; /* null terminate */
50 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
51 memmove(dest, data, 100*sizeof(char));❗VULN
52 /* Ensure null termination */
53 dest[100-1] = '\0';
54 printLine(dest);
55 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
56 * returned by new [] so can't safely call delete [] on it */
57 }
58}
59
60#endif /* OMITBAD */
61
62#ifndef OMITGOOD
63
64/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */
65static void goodG2B1()
66{
67 char * data;
68 data = NULL;
69 if(staticFalse)
70 {
71 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
72 printLine("Benign, fixed string");
73 }
74 else
75 {
76 {
77 char * dataBuffer = new char[100];
78 memset(dataBuffer, 'A', 100-1);
79 dataBuffer[100-1] = '\0';
80 /* FIX: Set data pointer to the allocated memory buffer */
81 data = dataBuffer;
82 }
83 }
84 {
85 char dest[100];
86 memset(dest, 'C', 100-1); /* fill with 'C's */
87 dest[100-1] = '\0'; /* null terminate */
88 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
89 memmove(dest, data, 100*sizeof(char));
90 /* Ensure null termination */
91 dest[100-1] = '\0';
92 printLine(dest);
93 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
94 * returned by new [] so can't safely call delete [] on it */
95 }
96}
97
98/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
99static void goodG2B2()
100{
101 char * data;
102 data = NULL;
103 if(staticTrue)
104 {
105 {
106 char * dataBuffer = new char[100];
107 memset(dataBuffer, 'A', 100-1);
108 dataBuffer[100-1] = '\0';
109 /* FIX: Set data pointer to the allocated memory buffer */
110 data = dataBuffer;
111 }
112 }
113 {
114 char dest[100];
115 memset(dest, 'C', 100-1); /* fill with 'C's */
116 dest[100-1] = '\0'; /* null terminate */
117 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
118 memmove(dest, data, 100*sizeof(char));
119 /* Ensure null termination */
120 dest[100-1] = '\0';
121 printLine(dest);
122 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
123 * returned by new [] so can't safely call delete [] on it */
124 }
125}
126
127void good()
128{
129 goodG2B1();
130 goodG2B2();
131}
132
133#endif /* OMITGOOD */
134
135} /* close namespace */
136
137/* Below is the main(). It is only used when building this testcase on
138 its own for testing or for building a binary to use in testing binary
139 analysis tools. It is not used when compiling all the testcases as one
140 application, which is how source code analysis tools are tested. */
141
142#ifdef INCLUDEMAIN
143
144using namespace CWE127_Buffer_Underread__new_char_memmove_05; /* so that we can use good and bad easily */
145
146int main(int argc, char * argv[])
147{
148 /* seed randomness */
149 srand( (unsigned)time(NULL) );
150#ifndef OMITGOOD
151 printLine("Calling good()...");
152 good();
153 printLine("Finished good()");
154#endif /* OMITGOOD */
155#ifndef OMITBAD
156 printLine("Calling bad()...");
157 bad();
158 printLine("Finished bad()");
159#endif /* OMITBAD */
160 return 0;
161}
162
163#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7996: CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_loop_10.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_loop_10.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml
4Template File: sources-sink-10.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Point data to a buffer that does not have space for a NULL terminator
10 * GoodSource: Point data to a buffer that includes space for a NULL terminator
11 * Sink: loop
12 * BadSink : Copy array to data using a loop
13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING L"AAAAAAAAAA"
25
26#ifndef OMITBAD
27
28void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_loop_10_bad()
29{
30 wchar_t * data;
31 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA((10)*sizeof(wchar_t));
32 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA((10+1)*sizeof(wchar_t));
33 if(globalTrue)
34 {
35 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing
36 * string copies in the sinks */
37 data = dataBadBuffer;
38 data[0] = L'\0'; /* null terminate */
39 }
40 {
41 wchar_t source[10+1] = SRC_STRING;
42 size_t i, sourceLen;
43 sourceLen = wcslen(source);
44 /* Copy length + 1 to include NUL terminator from source */
45 /* POTENTIAL FLAW: data may not have enough space to hold source */
46 for (i = 0; i < sourceLen + 1; i++)
47 {
48 data[i] = source[i];❗VULN
49 }
50 printWLine(data);
51 }
52}
53
54#endif /* OMITBAD */
55
56#ifndef OMITGOOD
57
58/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */
59static void goodG2B1()
60{
61 wchar_t * data;
62 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA((10)*sizeof(wchar_t));
63 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA((10+1)*sizeof(wchar_t));
64 if(globalFalse)
65 {
66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
67 printLine("Benign, fixed string");
68 }
69 else
70 {
71 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
72 * string copies in the sinks */
73 data = dataGoodBuffer;
74 data[0] = L'\0'; /* null terminate */
75 }
76 {
77 wchar_t source[10+1] = SRC_STRING;
78 size_t i, sourceLen;
79 sourceLen = wcslen(source);
80 /* Copy length + 1 to include NUL terminator from source */
81 /* POTENTIAL FLAW: data may not have enough space to hold source */
82 for (i = 0; i < sourceLen + 1; i++)
83 {
84 data[i] = source[i];
85 }
86 printWLine(data);
87 }
88}
89
90/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
91static void goodG2B2()
92{
93 wchar_t * data;
94 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA((10)*sizeof(wchar_t));
95 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA((10+1)*sizeof(wchar_t));
96 if(globalTrue)
97 {
98 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
99 * string copies in the sinks */
100 data = dataGoodBuffer;
101 data[0] = L'\0'; /* null terminate */
102 }
103 {
104 wchar_t source[10+1] = SRC_STRING;
105 size_t i, sourceLen;
106 sourceLen = wcslen(source);
107 /* Copy length + 1 to include NUL terminator from source */
108 /* POTENTIAL FLAW: data may not have enough space to hold source */
109 for (i = 0; i < sourceLen + 1; i++)
110 {
111 data[i] = source[i];
112 }
113 printWLine(data);
114 }
115}
116
117void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_loop_10_good()
118{
119 goodG2B1();
120 goodG2B2();
121}
122
123#endif /* OMITGOOD */
124
125/* Below is the main(). It is only used when building this testcase on
126 * its own for testing or for building a binary to use in testing binary
127 * analysis tools. It is not used when compiling all the testcases as one
128 * application, which is how source code analysis tools are tested.
129 */
130
131#ifdef INCLUDEMAIN
132
133int main(int argc, char * argv[])
134{
135 /* seed randomness */
136 srand( (unsigned)time(NULL) );
137#ifndef OMITGOOD
138 printLine("Calling good()...");
139 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_loop_10_good();
140 printLine("Finished good()");
141#endif /* OMITGOOD */
142#ifndef OMITBAD
143 printLine("Calling bad()...");
144 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_loop_10_bad();
145 printLine("Finished bad()");
146#endif /* OMITBAD */
147 return 0;
148}
149
150#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2220: CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_07.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_07.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml
4Template File: sources-sink-07.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: cpy
12 * BadSink : Copy string to data using wcscpy
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is not declared "const", but is never assigned
22 * any other value so a tool should be able to identify that reads of
23 * this will always give its initialized value.
24 */
25static int staticFive = 5;
26
27#ifndef OMITBAD
28
29void CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_07_bad()
30{
31 wchar_t * data;
32 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
33 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
34 if(staticFive==5)
35 {
36 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
37 * buffer in various memory copying functions using a "large" source buffer. */
38 data = dataBadBuffer;
39 data[0] = L'\0'; /* null terminate */
40 }
41 {
42 wchar_t source[100];
43 wmemset(source, L'C', 100-1); /* fill with L'C's */
44 source[100-1] = L'\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
46 wcscpy(data, source);❗VULN
47 printWLine(data);
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
56static void goodG2B1()
57{
58 wchar_t * data;
59 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
60 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
61 if(staticFive!=5)
62 {
63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
64 printLine("Benign, fixed string");
65 }
66 else
67 {
68 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
69 data = dataGoodBuffer;
70 data[0] = L'\0'; /* null terminate */
71 }
72 {
73 wchar_t source[100];
74 wmemset(source, L'C', 100-1); /* fill with L'C's */
75 source[100-1] = L'\0'; /* null terminate */
76 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
77 wcscpy(data, source);
78 printWLine(data);
79 }
80}
81
82/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
83static void goodG2B2()
84{
85 wchar_t * data;
86 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
87 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
88 if(staticFive==5)
89 {
90 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
91 data = dataGoodBuffer;
92 data[0] = L'\0'; /* null terminate */
93 }
94 {
95 wchar_t source[100];
96 wmemset(source, L'C', 100-1); /* fill with L'C's */
97 source[100-1] = L'\0'; /* null terminate */
98 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
99 wcscpy(data, source);
100 printWLine(data);
101 }
102}
103
104void CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_07_good()
105{
106 goodG2B1();
107 goodG2B2();
108}
109
110#endif /* OMITGOOD */
111
112/* Below is the main(). It is only used when building this testcase on
113 * its own for testing or for building a binary to use in testing binary
114 * analysis tools. It is not used when compiling all the testcases as one
115 * application, which is how source code analysis tools are tested.
116 */
117
118#ifdef INCLUDEMAIN
119
120int main(int argc, char * argv[])
121{
122 /* seed randomness */
123 srand( (unsigned)time(NULL) );
124#ifndef OMITGOOD
125 printLine("Calling good()...");
126 CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_07_good();
127 printLine("Finished good()");
128#endif /* OMITGOOD */
129#ifndef OMITBAD
130 printLine("Calling bad()...");
131 CWE121_Stack_Based_Buffer_Overflow__dest_wchar_t_alloca_cpy_07_bad();
132 printLine("Finished bad()");
133#endif /* OMITBAD */
134 return 0;
135}
136
137#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7502: CWE122_Heap_Based_Buffer_Overflow__placement_new_10.cpp

Nodes: 15 | Sink Nodes: 2 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__placement_new_10.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__placement_new.label.xml
4Template File: sources-sinks-10.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data to a small buffer
10 * GoodSource: Initialize data to a buffer large enough to hold a TwoIntsClass
11 * Sinks:
12 * GoodSink: Allocate a new class using placement new and a buffer that is large enough to hold the class
13 * BadSink : Allocate a new class using placement new and a buffer that is too small
14 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)
15 *
16 * */
17
18#include "std_testcase.h"
19
20namespace CWE122_Heap_Based_Buffer_Overflow__placement_new_10
21{
22
23#ifndef OMITBAD
24
25void bad()
26{
27 char * data;
28 char * dataBadBuffer = (char *)malloc(sizeof(OneIntClass));
29 if (dataBadBuffer == NULL) {exit(-1);}
30 char * dataGoodBuffer = (char *)malloc(sizeof(TwoIntsClass));
31 if (dataGoodBuffer == NULL) {exit(-1);}
32 if(globalTrue)
33 {
34 /* POTENTIAL FLAW: Initialize data to a buffer small than the sizeof(TwoIntsClass) */
35 data = dataBadBuffer;
36 }
37 if(globalTrue)
38 {
39 {
40 /* The Visual C++ compiler generates a warning if you initialize the class with ().
41 * This will cause the compile to default-initialize the object.
42 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx
43 */
44 /* POTENTIAL FLAW: data may not be large enough to hold a TwoIntsClass */
45 TwoIntsClass * classTwo = new(data) TwoIntsClass;
46 /* Initialize and make use of the class */
47 classTwo->intOne = 5;
48 classTwo->intTwo = 10; /* POTENTIAL FLAW: If sizeof(data) < sizeof(TwoIntsClass) then this line will be a buffer overflow */❗VULN
49 printIntLine(classTwo->intOne);
50 /* skip printing classTwo->intTwo since that could be a buffer overread */
51 free(data);
52 }
53 }
54}
55
56#endif /* OMITBAD */
57
58#ifndef OMITGOOD
59
60/* goodB2G1() - use badsource and goodsink by changing the second globalTrue to globalFalse */
61static void goodB2G1()
62{
63 char * data;
64 char * dataBadBuffer = (char *)malloc(sizeof(OneIntClass));
65 if (dataBadBuffer == NULL) {exit(-1);}
66 char * dataGoodBuffer = (char *)malloc(sizeof(TwoIntsClass));
67 if (dataGoodBuffer == NULL) {exit(-1);}
68 if(globalTrue)
69 {
70 /* POTENTIAL FLAW: Initialize data to a buffer small than the sizeof(TwoIntsClass) */
71 data = dataBadBuffer;
72 }
73 if(globalFalse)
74 {
75 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
76 printLine("Benign, fixed string");
77 }
78 else
79 {
80 {
81 /* The Visual C++ compiler generates a warning if you initialize the class with ().
82 * This will cause the compile to default-initialize the object.
83 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx
84 */
85 /* FIX: data will at least be the sizeof(OneIntClass) */
86 OneIntClass * classOne = new(data) OneIntClass;
87 /* Initialize and make use of the class */
88 classOne->intOne = 5;
89 printIntLine(classOne->intOne);
90 free(data);
91 }
92 }
93}
94
95/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */
96static void goodB2G2()
97{
98 char * data;
99 char * dataBadBuffer = (char *)malloc(sizeof(OneIntClass));
100 if (dataBadBuffer == NULL) {exit(-1);}
101 char * dataGoodBuffer = (char *)malloc(sizeof(TwoIntsClass));
102 if (dataGoodBuffer == NULL) {exit(-1);}
103 if(globalTrue)
104 {
105 /* POTENTIAL FLAW: Initialize data to a buffer small than the sizeof(TwoIntsClass) */
106 data = dataBadBuffer;
107 }
108 if(globalTrue)
109 {
110 {
111 /* The Visual C++ compiler generates a warning if you initialize the class with ().
112 * This will cause the compile to default-initialize the object.
113 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx
114 */
115 /* FIX: data will at least be the sizeof(OneIntClass) */
116 OneIntClass * classOne = new(data) OneIntClass;
117 /* Initialize and make use of the class */
118 classOne->intOne = 5;
119 printIntLine(classOne->intOne);
120 free(data);
121 }
122 }
123}
124
125/* goodG2B1() - use goodsource and badsink by changing the first globalTrue to globalFalse */
126static void goodG2B1()
127{
128 char * data;
129 char * dataBadBuffer = (char *)malloc(sizeof(OneIntClass));
130 if (dataBadBuffer == NULL) {exit(-1);}
131 char * dataGoodBuffer = (char *)malloc(sizeof(TwoIntsClass));
132 if (dataGoodBuffer == NULL) {exit(-1);}
133 if(globalFalse)
134 {
135 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
136 printLine("Benign, fixed string");
137 }
138 else
139 {
140 /* FIX: Initialize to a buffer at least the sizeof(TwoIntsClass) */
141 data = dataGoodBuffer;
142 }
143 if(globalTrue)
144 {
145 {
146 /* The Visual C++ compiler generates a warning if you initialize the class with ().
147 * This will cause the compile to default-initialize the object.
148 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx
149 */
150 /* POTENTIAL FLAW: data may not be large enough to hold a TwoIntsClass */
151 TwoIntsClass * classTwo = new(data) TwoIntsClass;
152 /* Initialize and make use of the class */
153 classTwo->intOne = 5;
154 classTwo->intTwo = 10; /* POTENTIAL FLAW: If sizeof(data) < sizeof(TwoIntsClass) then this line will be a buffer overflow */
155 printIntLine(classTwo->intOne);
156 /* skip printing classTwo->intTwo since that could be a buffer overread */
157 free(data);
158 }
159 }
160}
161
162/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */
163static void goodG2B2()
164{
165 char * data;
166 char * dataBadBuffer = (char *)malloc(sizeof(OneIntClass));
167 if (dataBadBuffer == NULL) {exit(-1);}
168 char * dataGoodBuffer = (char *)malloc(sizeof(TwoIntsClass));
169 if (dataGoodBuffer == NULL) {exit(-1);}
170 if(globalTrue)
171 {
172 /* FIX: Initialize to a buffer at least the sizeof(TwoIntsClass) */
173 data = dataGoodBuffer;
174 }
175 if(globalTrue)
176 {
177 {
178 /* The Visual C++ compiler generates a warning if you initialize the class with ().
179 * This will cause the compile to default-initialize the object.
180 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx
181 */
182 /* POTENTIAL FLAW: data may not be large enough to hold a TwoIntsClass */
183 TwoIntsClass * classTwo = new(data) TwoIntsClass;
184 /* Initialize and make use of the class */
185 classTwo->intOne = 5;
186 classTwo->intTwo = 10; /* POTENTIAL FLAW: If sizeof(data) < sizeof(TwoIntsClass) then this line will be a buffer overflow */
187 printIntLine(classTwo->intOne);
188 /* skip printing classTwo->intTwo since that could be a buffer overread */
189 free(data);
190 }
191 }
192}
193
194void good()
195{
196 goodB2G1();
197 goodB2G2();
198 goodG2B1();
199 goodG2B2();
200}
201
202#endif /* OMITGOOD */
203
204} /* close namespace */
205
206/* Below is the main(). It is only used when building this testcase on
207 its own for testing or for building a binary to use in testing binary
208 analysis tools. It is not used when compiling all the testcases as one
209 application, which is how source code analysis tools are tested. */
210
211#ifdef INCLUDEMAIN
212
213using namespace CWE122_Heap_Based_Buffer_Overflow__placement_new_10; /* so that we can use good and bad easily */
214
215int main(int argc, char * argv[])
216{
217 /* seed randomness */
218 srand( (unsigned)time(NULL) );
219#ifndef OMITGOOD
220 printLine("Calling good()...");
221 good();
222 printLine("Finished good()");
223#endif /* OMITGOOD */
224#ifndef OMITBAD
225 printLine("Calling bad()...");
226 bad();
227 printLine("Finished bad()");
228#endif /* OMITBAD */
229 return 0;
230}
231
232#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7856: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memcpy_17.c

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memcpy_17.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml
4Template File: sources-sink-17.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 17 Control flow: for loops
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memcpy_17_bad()
24{
25 int i;
26 wchar_t * data;
27 data = (wchar_t *)malloc(100*sizeof(wchar_t));
28 if (data == NULL) {exit(-1);}
29 for(i = 0; i < 1; i++)
30 {
31 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
32 wmemset(data, L'A', 100-1); /* fill with L'A's */
33 data[100-1] = L'\0'; /* null terminate */
34 }
35 {
36 wchar_t dest[50] = L"";
37 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
38 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));❗VULN
39 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
40 printWLine(data);
41 free(data);
42 }
43}
44
45#endif /* OMITBAD */
46
47#ifndef OMITGOOD
48
49/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */
50static void goodG2B()
51{
52 int h;
53 wchar_t * data;
54 data = (wchar_t *)malloc(100*sizeof(wchar_t));
55 if (data == NULL) {exit(-1);}
56 for(h = 0; h < 1; h++)
57 {
58 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
59 wmemset(data, L'A', 50-1); /* fill with L'A's */
60 data[50-1] = L'\0'; /* null terminate */
61 }
62 {
63 wchar_t dest[50] = L"";
64 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
65 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));
66 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
67 printWLine(data);
68 free(data);
69 }
70}
71
72void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memcpy_17_good()
73{
74 goodG2B();
75}
76
77#endif /* OMITGOOD */
78
79/* Below is the main(). It is only used when building this testcase on
80 * its own for testing or for building a binary to use in testing binary
81 * analysis tools. It is not used when compiling all the testcases as one
82 * application, which is how source code analysis tools are tested.
83 */
84
85#ifdef INCLUDEMAIN
86
87int main(int argc, char * argv[])
88{
89 /* seed randomness */
90 srand( (unsigned)time(NULL) );
91#ifndef OMITGOOD
92 printLine("Calling good()...");
93 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memcpy_17_good();
94 printLine("Finished good()");
95#endif /* OMITGOOD */
96#ifndef OMITBAD
97 printLine("Calling bad()...");
98 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memcpy_17_bad();
99 printLine("Finished bad()");
100#endif /* OMITBAD */
101 return 0;
102}
103
104#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4774: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_memmove_05.cpp

Nodes: 8 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_memmove_05.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193.label.xml
4Template File: sources-sink-05.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 * GoodSource: Allocate enough memory for a string and the NULL terminator
11 * Sink: memmove
12 * BadSink : Copy string to data using memmove()
13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING "AAAAAAAAAA"
25
26/* The two variables below are not defined as "const", but are never
27 assigned any other value, so a tool should be able to identify that
28 reads of these will always return their initialized values. */
29static int staticTrue = 1; /* true */
30static int staticFalse = 0; /* false */
31
32namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_memmove_05
33{
34
35#ifndef OMITBAD
36
37void bad()
38{
39 char * data;
40 data = NULL;
41 if(staticTrue)
42 {
43 /* FLAW: Did not leave space for a null terminator */
44 data = new char[10];
45 }
46 {
47 char source[10+1] = SRC_STRING;
48 /* Copy length + 1 to include NUL terminator from source */
49 /* POTENTIAL FLAW: data may not have enough space to hold source */
50 memmove(data, source, (strlen(source) + 1) * sizeof(char));❗VULN
51 printLine(data);
52 delete [] data;
53 }
54}
55
56#endif /* OMITBAD */
57
58#ifndef OMITGOOD
59
60/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */
61static void goodG2B1()
62{
63 char * data;
64 data = NULL;
65 if(staticFalse)
66 {
67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
68 printLine("Benign, fixed string");
69 }
70 else
71 {
72 /* FIX: Allocate space for a null terminator */
73 data = new char[10+1];
74 }
75 {
76 char source[10+1] = SRC_STRING;
77 /* Copy length + 1 to include NUL terminator from source */
78 /* POTENTIAL FLAW: data may not have enough space to hold source */
79 memmove(data, source, (strlen(source) + 1) * sizeof(char));
80 printLine(data);
81 delete [] data;
82 }
83}
84
85/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
86static void goodG2B2()
87{
88 char * data;
89 data = NULL;
90 if(staticTrue)
91 {
92 /* FIX: Allocate space for a null terminator */
93 data = new char[10+1];
94 }
95 {
96 char source[10+1] = SRC_STRING;
97 /* Copy length + 1 to include NUL terminator from source */
98 /* POTENTIAL FLAW: data may not have enough space to hold source */
99 memmove(data, source, (strlen(source) + 1) * sizeof(char));
100 printLine(data);
101 delete [] data;
102 }
103}
104
105void good()
106{
107 goodG2B1();
108 goodG2B2();
109}
110
111#endif /* OMITGOOD */
112
113} /* close namespace */
114
115/* Below is the main(). It is only used when building this testcase on
116 its own for testing or for building a binary to use in testing binary
117 analysis tools. It is not used when compiling all the testcases as one
118 application, which is how source code analysis tools are tested. */
119
120#ifdef INCLUDEMAIN
121
122using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_memmove_05; /* so that we can use good and bad easily */
123
124int main(int argc, char * argv[])
125{
126 /* seed randomness */
127 srand( (unsigned)time(NULL) );
128#ifndef OMITGOOD
129 printLine("Calling good()...");
130 good();
131 printLine("Finished good()");
132#endif /* OMITGOOD */
133#ifndef OMITBAD
134 printLine("Calling bad()...");
135 bad();
136 printLine("Finished bad()");
137#endif /* OMITBAD */
138 return 0;
139}
140
141#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4127: CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_34.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_34.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml
4Template File: sources-sink-34.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Point data to a buffer that does not have space for a NULL terminator
10 * GoodSource: Point data to a buffer that includes space for a NULL terminator
11 * Sinks: ncpy
12 * BadSink : Copy string to data using strncpy()
13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING "AAAAAAAAAA"
25
26typedef union
27{
28 char * unionFirst;
29 char * unionSecond;
30} CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_34_unionType;
31
32#ifndef OMITBAD
33
34void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_34_bad()
35{
36 char * data;
37 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_34_unionType myUnion;
38 char dataBadBuffer[10];
39 char dataGoodBuffer[10+1];
40 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing
41 * string copies in the sinks */
42 data = dataBadBuffer;
43 data[0] = '\0'; /* null terminate */
44 myUnion.unionFirst = data;
45 {
46 char * data = myUnion.unionSecond;
47 {
48 char source[10+1] = SRC_STRING;
49 /* Copy length + 1 to include NUL terminator from source */
50 /* POTENTIAL FLAW: data may not have enough space to hold source */
51 strncpy(data, source, strlen(source) + 1);❗VULN
52 printLine(data);
53 }
54 }
55}
56
57#endif /* OMITBAD */
58
59#ifndef OMITGOOD
60
61/* goodG2B() uses the GoodSource with the BadSink */
62static void goodG2B()
63{
64 char * data;
65 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_34_unionType myUnion;
66 char dataBadBuffer[10];
67 char dataGoodBuffer[10+1];
68 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
69 * string copies in the sinks */
70 data = dataGoodBuffer;
71 data[0] = '\0'; /* null terminate */
72 myUnion.unionFirst = data;
73 {
74 char * data = myUnion.unionSecond;
75 {
76 char source[10+1] = SRC_STRING;
77 /* Copy length + 1 to include NUL terminator from source */
78 /* POTENTIAL FLAW: data may not have enough space to hold source */
79 strncpy(data, source, strlen(source) + 1);
80 printLine(data);
81 }
82 }
83}
84
85void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_34_good()
86{
87 goodG2B();
88}
89
90#endif /* OMITGOOD */
91
92/* Below is the main(). It is only used when building this testcase on
93 * its own for testing or for building a binary to use in testing binary
94 * analysis tools. It is not used when compiling all the testcases as one
95 * application, which is how source code analysis tools are tested.
96 */
97#ifdef INCLUDEMAIN
98
99int main(int argc, char * argv[])
100{
101 /* seed randomness */
102 srand( (unsigned)time(NULL) );
103#ifndef OMITGOOD
104 printLine("Calling good()...");
105 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_34_good();
106 printLine("Finished good()");
107#endif /* OMITGOOD */
108#ifndef OMITBAD
109 printLine("Calling bad()...");
110 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_declare_ncpy_34_bad();
111 printLine("Finished bad()");
112#endif /* OMITBAD */
113 return 0;
114}
115
116#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4496: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_18.c

Nodes: 19 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_18.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-18.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: loop
12 * BadSink : Copy twoIntsStruct array to data using a loop
13 * Flow Variant: 18 Control flow: goto statements
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_18_bad()
22{
23 twoIntsStruct * data;
24 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));
25 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));
26 goto source;
27source:
28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
29 * buffer in various memory copying functions using a "large" source buffer. */
30 data = dataBadBuffer;
31 {
32 twoIntsStruct source[100];
33 {
34 size_t i;
35 /* Initialize array */
36 for (i = 0; i < 100; i++)
37 {
38 source[i].intOne = 0;
39 source[i].intTwo = 0;
40 }
41 }
42 {
43 size_t i;
44 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
45 for (i = 0; i < 100; i++)
46 {
47 data[i] = source[i];❗VULN
48 }
49 printStructLine(&data[0]);
50 }
51 }
52}
53
54#endif /* OMITBAD */
55
56#ifndef OMITGOOD
57
58/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
59static void goodG2B()
60{
61 twoIntsStruct * data;
62 twoIntsStruct * dataBadBuffer = (twoIntsStruct *)ALLOCA(50*sizeof(twoIntsStruct));
63 twoIntsStruct * dataGoodBuffer = (twoIntsStruct *)ALLOCA(100*sizeof(twoIntsStruct));
64 goto source;
65source:
66 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
67 data = dataGoodBuffer;
68 {
69 twoIntsStruct source[100];
70 {
71 size_t i;
72 /* Initialize array */
73 for (i = 0; i < 100; i++)
74 {
75 source[i].intOne = 0;
76 source[i].intTwo = 0;
77 }
78 }
79 {
80 size_t i;
81 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
82 for (i = 0; i < 100; i++)
83 {
84 data[i] = source[i];
85 }
86 printStructLine(&data[0]);
87 }
88 }
89}
90
91void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_18_good()
92{
93 goodG2B();
94}
95
96#endif /* OMITGOOD */
97
98/* Below is the main(). It is only used when building this testcase on
99 * its own for testing or for building a binary to use in testing binary
100 * analysis tools. It is not used when compiling all the testcases as one
101 * application, which is how source code analysis tools are tested.
102 */
103
104#ifdef INCLUDEMAIN
105
106int main(int argc, char * argv[])
107{
108 /* seed randomness */
109 srand( (unsigned)time(NULL) );
110#ifndef OMITGOOD
111 printLine("Calling good()...");
112 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_18_good();
113 printLine("Finished good()");
114#endif /* OMITGOOD */
115#ifndef OMITBAD
116 printLine("Calling bad()...");
117 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_alloca_loop_18_bad();
118 printLine("Finished bad()");
119#endif /* OMITBAD */
120 return 0;
121}
122
123#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7410: CWE126_Buffer_Overread__wchar_t_declare_memcpy_05.c

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__wchar_t_declare_memcpy_05.c
3Label Definition File: CWE126_Buffer_Overread.stack.label.xml
4Template File: sources-sink-05.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Set data pointer to a small buffer
10 * GoodSource: Set data pointer to a large buffer
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are not defined as "const", but are never
22 * assigned any other value, so a tool should be able to identify that
23 * reads of these will always return their initialized values.
24 */
25static int staticTrue = 1; /* true */
26static int staticFalse = 0; /* false */
27
28#ifndef OMITBAD
29
30void CWE126_Buffer_Overread__wchar_t_declare_memcpy_05_bad()
31{
32 wchar_t * data;
33 wchar_t dataBadBuffer[50];
34 wchar_t dataGoodBuffer[100];
35 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */
36 dataBadBuffer[50-1] = L'\0'; /* null terminate */
37 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */
38 dataGoodBuffer[100-1] = L'\0'; /* null terminate */
39 if(staticTrue)
40 {
41 /* FLAW: Set data pointer to a small buffer */
42 data = dataBadBuffer;
43 }
44 {
45 wchar_t dest[100];
46 wmemset(dest, L'C', 100-1);
47 dest[100-1] = L'\0'; /* null terminate */
48 /* POTENTIAL FLAW: using memcpy with the length of the dest where data
49 * could be smaller than dest causing buffer overread */
50 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));❗VULN
51 dest[100-1] = L'\0';
52 printWLine(dest);
53 }
54}
55
56#endif /* OMITBAD */
57
58#ifndef OMITGOOD
59
60/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */
61static void goodG2B1()
62{
63 wchar_t * data;
64 wchar_t dataBadBuffer[50];
65 wchar_t dataGoodBuffer[100];
66 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */
67 dataBadBuffer[50-1] = L'\0'; /* null terminate */
68 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */
69 dataGoodBuffer[100-1] = L'\0'; /* null terminate */
70 if(staticFalse)
71 {
72 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
73 printLine("Benign, fixed string");
74 }
75 else
76 {
77 /* FIX: Set data pointer to a large buffer */
78 data = dataGoodBuffer;
79 }
80 {
81 wchar_t dest[100];
82 wmemset(dest, L'C', 100-1);
83 dest[100-1] = L'\0'; /* null terminate */
84 /* POTENTIAL FLAW: using memcpy with the length of the dest where data
85 * could be smaller than dest causing buffer overread */
86 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));
87 dest[100-1] = L'\0';
88 printWLine(dest);
89 }
90}
91
92/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
93static void goodG2B2()
94{
95 wchar_t * data;
96 wchar_t dataBadBuffer[50];
97 wchar_t dataGoodBuffer[100];
98 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */
99 dataBadBuffer[50-1] = L'\0'; /* null terminate */
100 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */
101 dataGoodBuffer[100-1] = L'\0'; /* null terminate */
102 if(staticTrue)
103 {
104 /* FIX: Set data pointer to a large buffer */
105 data = dataGoodBuffer;
106 }
107 {
108 wchar_t dest[100];
109 wmemset(dest, L'C', 100-1);
110 dest[100-1] = L'\0'; /* null terminate */
111 /* POTENTIAL FLAW: using memcpy with the length of the dest where data
112 * could be smaller than dest causing buffer overread */
113 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));
114 dest[100-1] = L'\0';
115 printWLine(dest);
116 }
117}
118
119void CWE126_Buffer_Overread__wchar_t_declare_memcpy_05_good()
120{
121 goodG2B1();
122 goodG2B2();
123}
124
125#endif /* OMITGOOD */
126
127/* Below is the main(). It is only used when building this testcase on
128 * its own for testing or for building a binary to use in testing binary
129 * analysis tools. It is not used when compiling all the testcases as one
130 * application, which is how source code analysis tools are tested.
131 */
132
133#ifdef INCLUDEMAIN
134
135int main(int argc, char * argv[])
136{
137 /* seed randomness */
138 srand( (unsigned)time(NULL) );
139#ifndef OMITGOOD
140 printLine("Calling good()...");
141 CWE126_Buffer_Overread__wchar_t_declare_memcpy_05_good();
142 printLine("Finished good()");
143#endif /* OMITGOOD */
144#ifndef OMITBAD
145 printLine("Calling bad()...");
146 CWE126_Buffer_Overread__wchar_t_declare_memcpy_05_bad();
147 printLine("Finished bad()");
148#endif /* OMITBAD */
149 return 0;
150}
151
152#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7431: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncpy_34.c

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncpy_34.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4Template File: sources-sink-34.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sinks: ncpy
12 * BadSink : Copy string to data using wcsncpy
13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21typedef union
22{
23 wchar_t * unionFirst;
24 wchar_t * unionSecond;
25} CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncpy_34_unionType;
26
27#ifndef OMITBAD
28
29void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncpy_34_bad()
30{
31 wchar_t * data;
32 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncpy_34_unionType myUnion;
33 data = NULL;
34 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
35 data = (wchar_t *)malloc(50*sizeof(wchar_t));
36 if (data == NULL) {exit(-1);}
37 data[0] = L'\0'; /* null terminate */
38 myUnion.unionFirst = data;
39 {
40 wchar_t * data = myUnion.unionSecond;
41 {
42 wchar_t source[100];
43 wmemset(source, L'C', 100-1); /* fill with L'C's */
44 source[100-1] = L'\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
46 wcsncpy(data, source, 100-1);❗VULN
47 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
48 printWLine(data);
49 free(data);
50 }
51 }
52}
53
54#endif /* OMITBAD */
55
56#ifndef OMITGOOD
57
58/* goodG2B() uses the GoodSource with the BadSink */
59static void goodG2B()
60{
61 wchar_t * data;
62 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncpy_34_unionType myUnion;
63 data = NULL;
64 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
65 data = (wchar_t *)malloc(100*sizeof(wchar_t));
66 if (data == NULL) {exit(-1);}
67 data[0] = L'\0'; /* null terminate */
68 myUnion.unionFirst = data;
69 {
70 wchar_t * data = myUnion.unionSecond;
71 {
72 wchar_t source[100];
73 wmemset(source, L'C', 100-1); /* fill with L'C's */
74 source[100-1] = L'\0'; /* null terminate */
75 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
76 wcsncpy(data, source, 100-1);
77 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
78 printWLine(data);
79 free(data);
80 }
81 }
82}
83
84void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncpy_34_good()
85{
86 goodG2B();
87}
88
89#endif /* OMITGOOD */
90
91/* Below is the main(). It is only used when building this testcase on
92 * its own for testing or for building a binary to use in testing binary
93 * analysis tools. It is not used when compiling all the testcases as one
94 * application, which is how source code analysis tools are tested.
95 */
96#ifdef INCLUDEMAIN
97
98int main(int argc, char * argv[])
99{
100 /* seed randomness */
101 srand( (unsigned)time(NULL) );
102#ifndef OMITGOOD
103 printLine("Calling good()...");
104 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncpy_34_good();
105 printLine("Finished good()");
106#endif /* OMITGOOD */
107#ifndef OMITBAD
108 printLine("Calling bad()...");
109 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_ncpy_34_bad();
110 printLine("Finished bad()");
111#endif /* OMITBAD */
112 return 0;
113}
114
115#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9335: CWE124_Buffer_Underwrite__new_wchar_t_memmove_11.cpp

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__new_wchar_t_memmove_11.cpp
3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml
4Template File: sources-sink-11.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memmove
12 * BadSink : Copy string to data using memmove
13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE124_Buffer_Underwrite__new_wchar_t_memmove_11
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 wchar_t * data;
29 data = NULL;
30 if(globalReturnsTrue())
31 {
32 {
33 wchar_t * dataBuffer = new wchar_t[100];
34 wmemset(dataBuffer, L'A', 100-1);
35 dataBuffer[100-1] = L'\0';
36 /* FLAW: Set data pointer to before the allocated memory buffer */
37 data = dataBuffer - 8;
38 }
39 }
40 {
41 wchar_t source[100];
42 wmemset(source, L'C', 100-1); /* fill with 'C's */
43 source[100-1] = L'\0'; /* null terminate */
44 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
45 memmove(data, source, 100*sizeof(wchar_t));❗VULN
46 /* Ensure the destination buffer is null terminated */
47 data[100-1] = L'\0';
48 printWLine(data);
49 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
50 * returned by new [] so can't safely call delete [] on it */
51 }
52}
53
54#endif /* OMITBAD */
55
56#ifndef OMITGOOD
57
58/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */
59static void goodG2B1()
60{
61 wchar_t * data;
62 data = NULL;
63 if(globalReturnsFalse())
64 {
65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
66 printLine("Benign, fixed string");
67 }
68 else
69 {
70 {
71 wchar_t * dataBuffer = new wchar_t[100];
72 wmemset(dataBuffer, L'A', 100-1);
73 dataBuffer[100-1] = L'\0';
74 /* FIX: Set data pointer to the allocated memory buffer */
75 data = dataBuffer;
76 }
77 }
78 {
79 wchar_t source[100];
80 wmemset(source, L'C', 100-1); /* fill with 'C's */
81 source[100-1] = L'\0'; /* null terminate */
82 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
83 memmove(data, source, 100*sizeof(wchar_t));
84 /* Ensure the destination buffer is null terminated */
85 data[100-1] = L'\0';
86 printWLine(data);
87 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
88 * returned by new [] so can't safely call delete [] on it */
89 }
90}
91
92/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
93static void goodG2B2()
94{
95 wchar_t * data;
96 data = NULL;
97 if(globalReturnsTrue())
98 {
99 {
100 wchar_t * dataBuffer = new wchar_t[100];
101 wmemset(dataBuffer, L'A', 100-1);
102 dataBuffer[100-1] = L'\0';
103 /* FIX: Set data pointer to the allocated memory buffer */
104 data = dataBuffer;
105 }
106 }
107 {
108 wchar_t source[100];
109 wmemset(source, L'C', 100-1); /* fill with 'C's */
110 source[100-1] = L'\0'; /* null terminate */
111 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
112 memmove(data, source, 100*sizeof(wchar_t));
113 /* Ensure the destination buffer is null terminated */
114 data[100-1] = L'\0';
115 printWLine(data);
116 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
117 * returned by new [] so can't safely call delete [] on it */
118 }
119}
120
121void good()
122{
123 goodG2B1();
124 goodG2B2();
125}
126
127#endif /* OMITGOOD */
128
129} /* close namespace */
130
131/* Below is the main(). It is only used when building this testcase on
132 its own for testing or for building a binary to use in testing binary
133 analysis tools. It is not used when compiling all the testcases as one
134 application, which is how source code analysis tools are tested. */
135
136#ifdef INCLUDEMAIN
137
138using namespace CWE124_Buffer_Underwrite__new_wchar_t_memmove_11; /* so that we can use good and bad easily */
139
140int main(int argc, char * argv[])
141{
142 /* seed randomness */
143 srand( (unsigned)time(NULL) );
144#ifndef OMITGOOD
145 printLine("Calling good()...");
146 good();
147 printLine("Finished good()");
148#endif /* OMITGOOD */
149#ifndef OMITBAD
150 printLine("Calling bad()...");
151 bad();
152 printLine("Finished bad()");
153#endif /* OMITBAD */
154 return 0;
155}
156
157#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2020: CWE121_Stack_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_06.c

Nodes: 8 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_06.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow.label.xml
4Template File: point-flaw-06.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * Sinks: type_overrun_memcpy
10 * GoodSink: Perform the memcpy() and prevent overwriting part of the structure
11 * BadSink : Overwrite part of the structure by incorrectly using the sizeof(struct) in memcpy()
12 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)
13 *
14 * */
15
16#include "std_testcase.h"
17
18#ifndef _WIN32
19#include <wchar.h>
20#endif
21
22/* SRC_STR is 32 wchar_t long, including the null terminator, for 64-bit architectures */
23#define SRC_STR L"0123456789abcdef0123456789abcde"
24
25typedef struct _charVoid
26{
27 wchar_t charFirst[16];
28 void * voidSecond;
29 void * voidThird;
30} charVoid;
31
32/* The variable below is declared "const", so a tool should be able
33 to identify that reads of this will always give its initialized
34 value. */
35static const int STATIC_CONST_FIVE = 5;
36
37#ifndef OMITBAD
38
39void CWE121_Stack_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_06_bad()
40{
41 if(STATIC_CONST_FIVE==5)
42 {
43 {
44 charVoid structCharVoid;
45 structCharVoid.voidSecond = (void *)SRC_STR;
46 /* Print the initial block pointed to by structCharVoid.voidSecond */
47 printWLine((wchar_t *)structCharVoid.voidSecond);
48 /* FLAW: Use the sizeof(structCharVoid) which will overwrite the pointer voidSecond */
49 memcpy(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid));❗VULN
50 structCharVoid.charFirst[(sizeof(structCharVoid.charFirst)/sizeof(wchar_t))-1] = L'\0'; /* null terminate the string */
51 printWLine((wchar_t *)structCharVoid.charFirst);
52 printWLine((wchar_t *)structCharVoid.voidSecond);
53 }
54 }
55}
56
57#endif /* OMITBAD */
58
59#ifndef OMITGOOD
60
61/* good1() uses if(STATIC_CONST_FIVE!=5) instead of if(STATIC_CONST_FIVE==5) */
62static void good1()
63{
64 if(STATIC_CONST_FIVE!=5)
65 {
66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
67 printLine("Benign, fixed string");
68 }
69 else
70 {
71 {
72 charVoid structCharVoid;
73 structCharVoid.voidSecond = (void *)SRC_STR;
74 /* Print the initial block pointed to by structCharVoid.voidSecond */
75 printWLine((wchar_t *)structCharVoid.voidSecond);
76 /* FIX: Use sizeof(structCharVoid.charFirst) to avoid overwriting the pointer voidSecond */
77 memcpy(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid.charFirst));
78 structCharVoid.charFirst[(sizeof(structCharVoid.charFirst)/sizeof(wchar_t))-1] = L'\0'; /* null terminate the string */
79 printWLine((wchar_t *)structCharVoid.charFirst);
80 printWLine((wchar_t *)structCharVoid.voidSecond);
81 }
82 }
83}
84
85/* good2() reverses the bodies in the if statement */
86static void good2()
87{
88 if(STATIC_CONST_FIVE==5)
89 {
90 {
91 charVoid structCharVoid;
92 structCharVoid.voidSecond = (void *)SRC_STR;
93 /* Print the initial block pointed to by structCharVoid.voidSecond */
94 printWLine((wchar_t *)structCharVoid.voidSecond);
95 /* FIX: Use sizeof(structCharVoid.charFirst) to avoid overwriting the pointer voidSecond */
96 memcpy(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid.charFirst));
97 structCharVoid.charFirst[(sizeof(structCharVoid.charFirst)/sizeof(wchar_t))-1] = L'\0'; /* null terminate the string */
98 printWLine((wchar_t *)structCharVoid.charFirst);
99 printWLine((wchar_t *)structCharVoid.voidSecond);
100 }
101 }
102}
103
104void CWE121_Stack_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_06_good()
105{
106 good1();
107 good2();
108}
109
110#endif /* OMITGOOD */
111
112/* Below is the main(). It is only used when building this testcase on
113 its own for testing or for building a binary to use in testing binary
114 analysis tools. It is not used when compiling all the testcases as one
115 application, which is how source code analysis tools are tested. */
116
117#ifdef INCLUDEMAIN
118
119int main(int argc, char * argv[])
120{
121 /* seed randomness */
122 srand( (unsigned)time(NULL) );
123#ifndef OMITGOOD
124 printLine("Calling good()...");
125 CWE121_Stack_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_06_good();
126 printLine("Finished good()");
127#endif /* OMITGOOD */
128#ifndef OMITBAD
129 printLine("Calling bad()...");
130 CWE121_Stack_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_06_bad();
131 printLine("Finished bad()");
132#endif /* OMITBAD */
133 return 0;
134}
135
136#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1515: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_loop_16.cpp

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_loop_16.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193.label.xml
4Template File: sources-sink-16.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 * GoodSource: Allocate enough memory for a string and the NULL terminator
11 * Sink: loop
12 * BadSink : Copy array to data using a loop
13 * Flow Variant: 16 Control flow: while(1)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING "AAAAAAAAAA"
25
26namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_loop_16
27{
28
29#ifndef OMITBAD
30
31void bad()
32{
33 char * data;
34 data = NULL;
35 while(1)
36 {
37 /* FLAW: Did not leave space for a null terminator */
38 data = new char[10];
39 break;
40 }
41 {
42 char source[10+1] = SRC_STRING;
43 size_t i, sourceLen;
44 sourceLen = strlen(source);
45 /* Copy length + 1 to include NUL terminator from source */
46 /* POTENTIAL FLAW: data may not have enough space to hold source */
47 for (i = 0; i < sourceLen + 1; i++)
48 {
49 data[i] = source[i];❗VULN
50 }
51 printLine(data);
52 delete [] data;
53 }
54}
55
56#endif /* OMITBAD */
57
58#ifndef OMITGOOD
59
60/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */
61static void goodG2B()
62{
63 char * data;
64 data = NULL;
65 while(1)
66 {
67 /* FIX: Allocate space for a null terminator */
68 data = new char[10+1];
69 break;
70 }
71 {
72 char source[10+1] = SRC_STRING;
73 size_t i, sourceLen;
74 sourceLen = strlen(source);
75 /* Copy length + 1 to include NUL terminator from source */
76 /* POTENTIAL FLAW: data may not have enough space to hold source */
77 for (i = 0; i < sourceLen + 1; i++)
78 {
79 data[i] = source[i];
80 }
81 printLine(data);
82 delete [] data;
83 }
84}
85
86void good()
87{
88 goodG2B();
89}
90
91#endif /* OMITGOOD */
92
93} /* close namespace */
94
95/* Below is the main(). It is only used when building this testcase on
96 its own for testing or for building a binary to use in testing binary
97 analysis tools. It is not used when compiling all the testcases as one
98 application, which is how source code analysis tools are tested. */
99
100#ifdef INCLUDEMAIN
101
102using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_loop_16; /* so that we can use good and bad easily */
103
104int main(int argc, char * argv[])
105{
106 /* seed randomness */
107 srand( (unsigned)time(NULL) );
108#ifndef OMITGOOD
109 printLine("Calling good()...");
110 good();
111 printLine("Finished good()");
112#endif /* OMITGOOD */
113#ifndef OMITBAD
114 printLine("Calling bad()...");
115 bad();
116 printLine("Finished bad()");
117#endif /* OMITBAD */
118 return 0;
119}
120
121#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5845: CWE124_Buffer_Underwrite__wchar_t_declare_ncpy_32.c

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__wchar_t_declare_ncpy_32.c
3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml
4Template File: sources-sink-32.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: ncpy
12 * BadSink : Copy string to data using wcsncpy
13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE124_Buffer_Underwrite__wchar_t_declare_ncpy_32_bad()
24{
25 wchar_t * data;
26 wchar_t * *dataPtr1 = &data;
27 wchar_t * *dataPtr2 = &data;
28 wchar_t dataBuffer[100];
29 wmemset(dataBuffer, L'A', 100-1);
30 dataBuffer[100-1] = L'\0';
31 {
32 wchar_t * data = *dataPtr1;
33 /* FLAW: Set data pointer to before the allocated memory buffer */
34 data = dataBuffer - 8;
35 *dataPtr1 = data;
36 }
37 {
38 wchar_t * data = *dataPtr2;
39 {
40 wchar_t source[100];
41 wmemset(source, L'C', 100-1); /* fill with 'C's */
42 source[100-1] = L'\0'; /* null terminate */
43 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
44 wcsncpy(data, source, 100-1);❗VULN
45 /* Ensure the destination buffer is null terminated */
46 data[100-1] = L'\0';
47 printWLine(data);
48 }
49 }
50}
51
52#endif /* OMITBAD */
53
54#ifndef OMITGOOD
55
56/* goodG2B() uses the GoodSource with the BadSink */
57static void goodG2B()
58{
59 wchar_t * data;
60 wchar_t * *dataPtr1 = &data;
61 wchar_t * *dataPtr2 = &data;
62 wchar_t dataBuffer[100];
63 wmemset(dataBuffer, L'A', 100-1);
64 dataBuffer[100-1] = L'\0';
65 {
66 wchar_t * data = *dataPtr1;
67 /* FIX: Set data pointer to the allocated memory buffer */
68 data = dataBuffer;
69 *dataPtr1 = data;
70 }
71 {
72 wchar_t * data = *dataPtr2;
73 {
74 wchar_t source[100];
75 wmemset(source, L'C', 100-1); /* fill with 'C's */
76 source[100-1] = L'\0'; /* null terminate */
77 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
78 wcsncpy(data, source, 100-1);
79 /* Ensure the destination buffer is null terminated */
80 data[100-1] = L'\0';
81 printWLine(data);
82 }
83 }
84}
85
86void CWE124_Buffer_Underwrite__wchar_t_declare_ncpy_32_good()
87{
88 goodG2B();
89}
90
91#endif /* OMITGOOD */
92
93/* Below is the main(). It is only used when building this testcase on
94 * its own for testing or for building a binary to use in testing binary
95 * analysis tools. It is not used when compiling all the testcases as one
96 * application, which is how source code analysis tools are tested.
97 */
98#ifdef INCLUDEMAIN
99
100int main(int argc, char * argv[])
101{
102 /* seed randomness */
103 srand( (unsigned)time(NULL) );
104#ifndef OMITGOOD
105 printLine("Calling good()...");
106 CWE124_Buffer_Underwrite__wchar_t_declare_ncpy_32_good();
107 printLine("Finished good()");
108#endif /* OMITGOOD */
109#ifndef OMITBAD
110 printLine("Calling bad()...");
111 CWE124_Buffer_Underwrite__wchar_t_declare_ncpy_32_bad();
112 printLine("Finished bad()");
113#endif /* OMITBAD */
114 return 0;
115}
116
117#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8126: CWE126_Buffer_Overread__malloc_wchar_t_memcpy_08.c

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__malloc_wchar_t_memcpy_08.c
3Label Definition File: CWE126_Buffer_Overread__malloc.label.xml
4Template File: sources-sink-08.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Use a small buffer
10 * GoodSource: Use a large buffer
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(staticReturnsFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two function below always return the same value, so a tool
22 * should be able to identify that calls to the functions will always
23 * return a fixed value.
24 */
25static int staticReturnsTrue()
26{
27 return 1;
28}
29
30static int staticReturnsFalse()
31{
32 return 0;
33}
34
35#ifndef OMITBAD
36
37void CWE126_Buffer_Overread__malloc_wchar_t_memcpy_08_bad()
38{
39 wchar_t * data;
40 data = NULL;
41 if(staticReturnsTrue())
42 {
43 /* FLAW: Use a small buffer */
44 data = (wchar_t *)malloc(50*sizeof(wchar_t));
45 if (data == NULL) {exit(-1);}
46 wmemset(data, L'A', 50-1); /* fill with 'A's */
47 data[50-1] = L'\0'; /* null terminate */
48 }
49 {
50 wchar_t dest[100];
51 wmemset(dest, L'C', 100-1);
52 dest[100-1] = L'\0'; /* null terminate */
53 /* POTENTIAL FLAW: using memcpy with the length of the dest where data
54 * could be smaller than dest causing buffer overread */
55 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));❗VULN
56 dest[100-1] = L'\0';
57 printWLine(dest);
58 free(data);
59 }
60}
61
62#endif /* OMITBAD */
63
64#ifndef OMITGOOD
65
66/* goodG2B1() - use goodsource and badsink by changing the staticReturnsTrue() to staticReturnsFalse() */
67static void goodG2B1()
68{
69 wchar_t * data;
70 data = NULL;
71 if(staticReturnsFalse())
72 {
73 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
74 printLine("Benign, fixed string");
75 }
76 else
77 {
78 /* FIX: Use a large buffer */
79 data = (wchar_t *)malloc(100*sizeof(wchar_t));
80 if (data == NULL) {exit(-1);}
81 wmemset(data, L'A', 100-1); /* fill with 'A's */
82 data[100-1] = L'\0'; /* null terminate */
83 }
84 {
85 wchar_t dest[100];
86 wmemset(dest, L'C', 100-1);
87 dest[100-1] = L'\0'; /* null terminate */
88 /* POTENTIAL FLAW: using memcpy with the length of the dest where data
89 * could be smaller than dest causing buffer overread */
90 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));
91 dest[100-1] = L'\0';
92 printWLine(dest);
93 free(data);
94 }
95}
96
97/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
98static void goodG2B2()
99{
100 wchar_t * data;
101 data = NULL;
102 if(staticReturnsTrue())
103 {
104 /* FIX: Use a large buffer */
105 data = (wchar_t *)malloc(100*sizeof(wchar_t));
106 if (data == NULL) {exit(-1);}
107 wmemset(data, L'A', 100-1); /* fill with 'A's */
108 data[100-1] = L'\0'; /* null terminate */
109 }
110 {
111 wchar_t dest[100];
112 wmemset(dest, L'C', 100-1);
113 dest[100-1] = L'\0'; /* null terminate */
114 /* POTENTIAL FLAW: using memcpy with the length of the dest where data
115 * could be smaller than dest causing buffer overread */
116 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));
117 dest[100-1] = L'\0';
118 printWLine(dest);
119 free(data);
120 }
121}
122
123void CWE126_Buffer_Overread__malloc_wchar_t_memcpy_08_good()
124{
125 goodG2B1();
126 goodG2B2();
127}
128
129#endif /* OMITGOOD */
130
131/* Below is the main(). It is only used when building this testcase on
132 * its own for testing or for building a binary to use in testing binary
133 * analysis tools. It is not used when compiling all the testcases as one
134 * application, which is how source code analysis tools are tested.
135 */
136
137#ifdef INCLUDEMAIN
138
139int main(int argc, char * argv[])
140{
141 /* seed randomness */
142 srand( (unsigned)time(NULL) );
143#ifndef OMITGOOD
144 printLine("Calling good()...");
145 CWE126_Buffer_Overread__malloc_wchar_t_memcpy_08_good();
146 printLine("Finished good()");
147#endif /* OMITGOOD */
148#ifndef OMITBAD
149 printLine("Calling bad()...");
150 CWE126_Buffer_Overread__malloc_wchar_t_memcpy_08_bad();
151 printLine("Finished bad()");
152#endif /* OMITBAD */
153 return 0;
154}
155
156#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3605: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_memcpy_42.c

Nodes: 8 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_memcpy_42.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml
4Template File: sources-sink-42.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 42 Data flow: data returned from one function to another in the same source file
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23static char * badSource(char * data)
24{
25 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
26 memset(data, 'A', 100-1); /* fill with 'A's */
27 data[100-1] = '\0'; /* null terminate */
28 return data;
29}
30
31void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_memcpy_42_bad()
32{
33 char * data;
34 char dataBuffer[100];
35 data = dataBuffer;
36 data = badSource(data);
37 {
38 char dest[50] = "";
39 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
40 memcpy(dest, data, strlen(data)*sizeof(char));❗VULN
41 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
42 printLine(data);
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50static char * goodG2BSource(char * data)
51{
52 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
53 memset(data, 'A', 50-1); /* fill with 'A's */
54 data[50-1] = '\0'; /* null terminate */
55 return data;
56}
57
58/* goodG2B uses the GoodSource with the BadSink */
59static void goodG2B()
60{
61 char * data;
62 char dataBuffer[100];
63 data = dataBuffer;
64 data = goodG2BSource(data);
65 {
66 char dest[50] = "";
67 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
68 memcpy(dest, data, strlen(data)*sizeof(char));
69 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
70 printLine(data);
71 }
72}
73
74void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_memcpy_42_good()
75{
76 goodG2B();
77}
78
79#endif /* OMITGOOD */
80
81/* Below is the main(). It is only used when building this testcase on
82 * its own for testing or for building a binary to use in testing binary
83 * analysis tools. It is not used when compiling all the testcases as one
84 * application, which is how source code analysis tools are tested.
85 */
86
87#ifdef INCLUDEMAIN
88
89int main(int argc, char * argv[])
90{
91 /* seed randomness */
92 srand( (unsigned)time(NULL) );
93#ifndef OMITGOOD
94 printLine("Calling good()...");
95 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_memcpy_42_good();
96 printLine("Finished good()");
97#endif /* OMITGOOD */
98#ifndef OMITBAD
99 printLine("Calling bad()...");
100 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_memcpy_42_bad();
101 printLine("Finished bad()");
102#endif /* OMITBAD */
103 return 0;
104}
105
106#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1248: CWE124_Buffer_Underwrite__CWE839_connect_socket_12.c

Nodes: 51 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__CWE839_connect_socket_12.c
3Label Definition File: CWE124_Buffer_Underwrite__CWE839.label.xml
4Template File: sources-sinks-12.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: connect_socket Read data using a connect socket (client side)
10 * GoodSource: Non-negative but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the lower bound
14 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())
15 *
16 * */
17
18#include "std_testcase.h"
19
20#ifdef _WIN32
21#include <winsock2.h>
22#include <windows.h>
23#include <direct.h>
24#pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */
25#define CLOSE_SOCKET closesocket
26#else /* NOT _WIN32 */
27#include <sys/types.h>
28#include <sys/socket.h>
29#include <netinet/in.h>
30#include <arpa/inet.h>
31#include <unistd.h>
32#define INVALID_SOCKET -1
33#define SOCKET_ERROR -1
34#define CLOSE_SOCKET close
35#define SOCKET int
36#endif
37
38#define TCP_PORT 27015
39#define IP_ADDRESS "127.0.0.1"
40#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)
41
42#ifndef OMITBAD
43
44void CWE124_Buffer_Underwrite__CWE839_connect_socket_12_bad()
45{
46 int data;
47 /* Initialize data */
48 data = -1;
49 if(globalReturnsTrueOrFalse())
50 {
51 {
52#ifdef _WIN32
53 WSADATA wsaData;
54 int wsaDataInit = 0;
55#endif
56 int recvResult;
57 struct sockaddr_in service;
58 SOCKET connectSocket = INVALID_SOCKET;
59 char inputBuffer[CHAR_ARRAY_SIZE];
60 do
61 {
62#ifdef _WIN32
63 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
64 {
65 break;
66 }
67 wsaDataInit = 1;
68#endif
69 /* POTENTIAL FLAW: Read data using a connect socket */
70 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
71 if (connectSocket == INVALID_SOCKET)
72 {
73 break;
74 }
75 memset(&service, 0, sizeof(service));
76 service.sin_family = AF_INET;
77 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);
78 service.sin_port = htons(TCP_PORT);
79 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
80 {
81 break;
82 }
83 /* Abort on error or the connection was closed, make sure to recv one
84 * less char than is in the recv_buf in order to append a terminator */
85 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
86 if (recvResult == SOCKET_ERROR || recvResult == 0)
87 {
88 break;
89 }
90 /* NUL-terminate the string */
91 inputBuffer[recvResult] = '\0';
92 /* Convert to int */
93 data = atoi(inputBuffer);
94 }
95 while (0);
96 if (connectSocket != INVALID_SOCKET)
97 {
98 CLOSE_SOCKET(connectSocket);
99 }
100#ifdef _WIN32
101 if (wsaDataInit)
102 {
103 WSACleanup();
104 }
105#endif
106 }
107 }
108 else
109 {
110 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
111 * access an index of the array in the sink that is out-of-bounds */
112 data = 7;
113 }
114 if(globalReturnsTrueOrFalse())
115 {
116 {
117 int i;
118 int buffer[10] = { 0 };
119 /* POTENTIAL FLAW: Attempt to access a negative index of the array
120 * This code does not check to see if the array index is negative */
121 if (data < 10)
122 {
123 buffer[data] = 1;❗VULN
124 /* Print the array values */
125 for(i = 0; i < 10; i++)
126 {
127 printIntLine(buffer[i]);
128 }
129 }
130 else
131 {
132 printLine("ERROR: Array index is negative.");
133 }
134 }
135 }
136 else
137 {
138 {
139 int i;
140 int buffer[10] = { 0 };
141 /* FIX: Properly validate the array index and prevent a buffer underwrite */
142 if (data >= 0 && data < (10))
143 {
144 buffer[data] = 1;
145 /* Print the array values */
146 for(i = 0; i < 10; i++)
147 {
148 printIntLine(buffer[i]);
149 }
150 }
151 else
152 {
153 printLine("ERROR: Array index is out-of-bounds");
154 }
155 }
156 }
157}
158
159#endif /* OMITBAD */
160
161#ifndef OMITGOOD
162
163/* goodB2G() - use badsource and goodsink by changing the first "if" so that
164 both branches use the BadSource and the second "if" so that both branches
165 use the GoodSink */
166static void goodB2G()
167{
168 int data;
169 /* Initialize data */
170 data = -1;
171 if(globalReturnsTrueOrFalse())
172 {
173 {
174#ifdef _WIN32
175 WSADATA wsaData;
176 int wsaDataInit = 0;
177#endif
178 int recvResult;
179 struct sockaddr_in service;
180 SOCKET connectSocket = INVALID_SOCKET;
181 char inputBuffer[CHAR_ARRAY_SIZE];
182 do
183 {
184#ifdef _WIN32
185 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
186 {
187 break;
188 }
189 wsaDataInit = 1;
190#endif
191 /* POTENTIAL FLAW: Read data using a connect socket */
192 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
193 if (connectSocket == INVALID_SOCKET)
194 {
195 break;
196 }
197 memset(&service, 0, sizeof(service));
198 service.sin_family = AF_INET;
199 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);
200 service.sin_port = htons(TCP_PORT);
201 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
202 {
203 break;
204 }
205 /* Abort on error or the connection was closed, make sure to recv one
206 * less char than is in the recv_buf in order to append a terminator */
207 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
208 if (recvResult == SOCKET_ERROR || recvResult == 0)
209 {
210 break;
211 }
212 /* NUL-terminate the string */
213 inputBuffer[recvResult] = '\0';
214 /* Convert to int */
215 data = atoi(inputBuffer);
216 }
217 while (0);
218 if (connectSocket != INVALID_SOCKET)
219 {
220 CLOSE_SOCKET(connectSocket);
221 }
222#ifdef _WIN32
223 if (wsaDataInit)
224 {
225 WSACleanup();
226 }
227#endif
228 }
229 }
230 else
231 {
232 {
233#ifdef _WIN32
234 WSADATA wsaData;
235 int wsaDataInit = 0;
236#endif
237 int recvResult;
238 struct sockaddr_in service;
239 SOCKET connectSocket = INVALID_SOCKET;
240 char inputBuffer[CHAR_ARRAY_SIZE];
241 do
242 {
243#ifdef _WIN32
244 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
245 {
246 break;
247 }
248 wsaDataInit = 1;
249#endif
250 /* POTENTIAL FLAW: Read data using a connect socket */
251 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
252 if (connectSocket == INVALID_SOCKET)
253 {
254 break;
255 }
256 memset(&service, 0, sizeof(service));
257 service.sin_family = AF_INET;
258 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);
259 service.sin_port = htons(TCP_PORT);
260 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
261 {
262 break;
263 }
264 /* Abort on error or the connection was closed, make sure to recv one
265 * less char than is in the recv_buf in order to append a terminator */
266 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
267 if (recvResult == SOCKET_ERROR || recvResult == 0)
268 {
269 break;
270 }
271 /* NUL-terminate the string */
272 inputBuffer[recvResult] = '\0';
273 /* Convert to int */
274 data = atoi(inputBuffer);
275 }
276 while (0);
277 if (connectSocket != INVALID_SOCKET)
278 {
279 CLOSE_SOCKET(connectSocket);
280 }
281#ifdef _WIN32
282 if (wsaDataInit)
283 {
284 WSACleanup();
285 }
286#endif
287 }
288 }
289 if(globalReturnsTrueOrFalse())
290 {
291 {
292 int i;
293 int buffer[10] = { 0 };
294 /* FIX: Properly validate the array index and prevent a buffer underwrite */
295 if (data >= 0 && data < (10))
296 {
297 buffer[data] = 1;
298 /* Print the array values */
299 for(i = 0; i < 10; i++)
300 {
301 printIntLine(buffer[i]);
302 }
303 }
304 else
305 {
306 printLine("ERROR: Array index is out-of-bounds");
307 }
308 }
309 }
310 else
311 {
312 {
313 int i;
314 int buffer[10] = { 0 };
315 /* FIX: Properly validate the array index and prevent a buffer underwrite */
316 if (data >= 0 && data < (10))
317 {
318 buffer[data] = 1;
319 /* Print the array values */
320 for(i = 0; i < 10; i++)
321 {
322 printIntLine(buffer[i]);
323 }
324 }
325 else
326 {
327 printLine("ERROR: Array index is out-of-bounds");
328 }
329 }
330 }
331}
332
333/* goodG2B() - use goodsource and badsink by changing the first "if" so that
334 both branches use the GoodSource and the second "if" so that both branches
335 use the BadSink */
336static void goodG2B()
337{
338 int data;
339 /* Initialize data */
340 data = -1;
341 if(globalReturnsTrueOrFalse())
342 {
343 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
344 * access an index of the array in the sink that is out-of-bounds */
345 data = 7;
346 }
347 else
348 {
349 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
350 * access an index of the array in the sink that is out-of-bounds */
351 data = 7;
352 }
353 if(globalReturnsTrueOrFalse())
354 {
355 {
356 int i;
357 int buffer[10] = { 0 };
358 /* POTENTIAL FLAW: Attempt to access a negative index of the array
359 * This code does not check to see if the array index is negative */
360 if (data < 10)
361 {
362 buffer[data] = 1;
363 /* Print the array values */
364 for(i = 0; i < 10; i++)
365 {
366 printIntLine(buffer[i]);
367 }
368 }
369 else
370 {
371 printLine("ERROR: Array index is negative.");
372 }
373 }
374 }
375 else
376 {
377 {
378 int i;
379 int buffer[10] = { 0 };
380 /* POTENTIAL FLAW: Attempt to access a negative index of the array
381 * This code does not check to see if the array index is negative */
382 if (data < 10)
383 {
384 buffer[data] = 1;
385 /* Print the array values */
386 for(i = 0; i < 10; i++)
387 {
388 printIntLine(buffer[i]);
389 }
390 }
391 else
392 {
393 printLine("ERROR: Array index is negative.");
394 }
395 }
396 }
397}
398
399void CWE124_Buffer_Underwrite__CWE839_connect_socket_12_good()
400{
401 goodB2G();
402 goodG2B();
403}
404
405#endif /* OMITGOOD */
406
407/* Below is the main(). It is only used when building this testcase on
408 its own for testing or for building a binary to use in testing binary
409 analysis tools. It is not used when compiling all the testcases as one
410 application, which is how source code analysis tools are tested. */
411
412#ifdef INCLUDEMAIN
413
414int main(int argc, char * argv[])
415{
416 /* seed randomness */
417 srand( (unsigned)time(NULL) );
418#ifndef OMITGOOD
419 printLine("Calling good()...");
420 CWE124_Buffer_Underwrite__CWE839_connect_socket_12_good();
421 printLine("Finished good()");
422#endif /* OMITGOOD */
423#ifndef OMITBAD
424 printLine("Calling bad()...");
425 CWE124_Buffer_Underwrite__CWE839_connect_socket_12_bad();
426 printLine("Finished bad()");
427#endif /* OMITBAD */
428 return 0;
429}
430
431#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6205: CWE127_Buffer_Underread__new_char_memmove_11.cpp

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__new_char_memmove_11.cpp
3Label Definition File: CWE127_Buffer_Underread__new.label.xml
4Template File: sources-sink-11.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE127_Buffer_Underread__new_char_memmove_11
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 char * data;
29 data = NULL;
30 if(globalReturnsTrue())
31 {
32 {
33 char * dataBuffer = new char[100];
34 memset(dataBuffer, 'A', 100-1);
35 dataBuffer[100-1] = '\0';
36 /* FLAW: Set data pointer to before the allocated memory buffer */
37 data = dataBuffer - 8;
38 }
39 }
40 {
41 char dest[100];
42 memset(dest, 'C', 100-1); /* fill with 'C's */
43 dest[100-1] = '\0'; /* null terminate */
44 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
45 memmove(dest, data, 100*sizeof(char));❗VULN
46 /* Ensure null termination */
47 dest[100-1] = '\0';
48 printLine(dest);
49 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
50 * returned by new [] so can't safely call delete [] on it */
51 }
52}
53
54#endif /* OMITBAD */
55
56#ifndef OMITGOOD
57
58/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */
59static void goodG2B1()
60{
61 char * data;
62 data = NULL;
63 if(globalReturnsFalse())
64 {
65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
66 printLine("Benign, fixed string");
67 }
68 else
69 {
70 {
71 char * dataBuffer = new char[100];
72 memset(dataBuffer, 'A', 100-1);
73 dataBuffer[100-1] = '\0';
74 /* FIX: Set data pointer to the allocated memory buffer */
75 data = dataBuffer;
76 }
77 }
78 {
79 char dest[100];
80 memset(dest, 'C', 100-1); /* fill with 'C's */
81 dest[100-1] = '\0'; /* null terminate */
82 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
83 memmove(dest, data, 100*sizeof(char));
84 /* Ensure null termination */
85 dest[100-1] = '\0';
86 printLine(dest);
87 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
88 * returned by new [] so can't safely call delete [] on it */
89 }
90}
91
92/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
93static void goodG2B2()
94{
95 char * data;
96 data = NULL;
97 if(globalReturnsTrue())
98 {
99 {
100 char * dataBuffer = new char[100];
101 memset(dataBuffer, 'A', 100-1);
102 dataBuffer[100-1] = '\0';
103 /* FIX: Set data pointer to the allocated memory buffer */
104 data = dataBuffer;
105 }
106 }
107 {
108 char dest[100];
109 memset(dest, 'C', 100-1); /* fill with 'C's */
110 dest[100-1] = '\0'; /* null terminate */
111 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
112 memmove(dest, data, 100*sizeof(char));
113 /* Ensure null termination */
114 dest[100-1] = '\0';
115 printLine(dest);
116 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
117 * returned by new [] so can't safely call delete [] on it */
118 }
119}
120
121void good()
122{
123 goodG2B1();
124 goodG2B2();
125}
126
127#endif /* OMITGOOD */
128
129} /* close namespace */
130
131/* Below is the main(). It is only used when building this testcase on
132 its own for testing or for building a binary to use in testing binary
133 analysis tools. It is not used when compiling all the testcases as one
134 application, which is how source code analysis tools are tested. */
135
136#ifdef INCLUDEMAIN
137
138using namespace CWE127_Buffer_Underread__new_char_memmove_11; /* so that we can use good and bad easily */
139
140int main(int argc, char * argv[])
141{
142 /* seed randomness */
143 srand( (unsigned)time(NULL) );
144#ifndef OMITGOOD
145 printLine("Calling good()...");
146 good();
147 printLine("Finished good()");
148#endif /* OMITGOOD */
149#ifndef OMITBAD
150 printLine("Calling bad()...");
151 bad();
152 printLine("Finished bad()");
153#endif /* OMITBAD */
154 return 0;
155}
156
157#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3056: CWE127_Buffer_Underread__malloc_char_loop_07.c

Nodes: 19 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_char_loop_07.c
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-07.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is not declared "const", but is never assigned
22 * any other value so a tool should be able to identify that reads of
23 * this will always give its initialized value.
24 */
25static int staticFive = 5;
26
27#ifndef OMITBAD
28
29void CWE127_Buffer_Underread__malloc_char_loop_07_bad()
30{
31 char * data;
32 data = NULL;
33 if(staticFive==5)
34 {
35 {
36 char * dataBuffer = (char *)malloc(100*sizeof(char));
37 if (dataBuffer == NULL) {exit(-1);}
38 memset(dataBuffer, 'A', 100-1);
39 dataBuffer[100-1] = '\0';
40 /* FLAW: Set data pointer to before the allocated memory buffer */
41 data = dataBuffer - 8;
42 }
43 }
44 {
45 size_t i;
46 char dest[100];
47 memset(dest, 'C', 100-1); /* fill with 'C's */
48 dest[100-1] = '\0'; /* null terminate */
49 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
50 for (i = 0; i < 100; i++)
51 {
52 dest[i] = data[i];❗VULN
53 }
54 /* Ensure null termination */
55 dest[100-1] = '\0';
56 printLine(dest);
57 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
58 * returned by malloc() so can't safely call free() on it */
59 }
60}
61
62#endif /* OMITBAD */
63
64#ifndef OMITGOOD
65
66/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
67static void goodG2B1()
68{
69 char * data;
70 data = NULL;
71 if(staticFive!=5)
72 {
73 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
74 printLine("Benign, fixed string");
75 }
76 else
77 {
78 {
79 char * dataBuffer = (char *)malloc(100*sizeof(char));
80 if (dataBuffer == NULL) {exit(-1);}
81 memset(dataBuffer, 'A', 100-1);
82 dataBuffer[100-1] = '\0';
83 /* FIX: Set data pointer to the allocated memory buffer */
84 data = dataBuffer;
85 }
86 }
87 {
88 size_t i;
89 char dest[100];
90 memset(dest, 'C', 100-1); /* fill with 'C's */
91 dest[100-1] = '\0'; /* null terminate */
92 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
93 for (i = 0; i < 100; i++)
94 {
95 dest[i] = data[i];
96 }
97 /* Ensure null termination */
98 dest[100-1] = '\0';
99 printLine(dest);
100 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
101 * returned by malloc() so can't safely call free() on it */
102 }
103}
104
105/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
106static void goodG2B2()
107{
108 char * data;
109 data = NULL;
110 if(staticFive==5)
111 {
112 {
113 char * dataBuffer = (char *)malloc(100*sizeof(char));
114 if (dataBuffer == NULL) {exit(-1);}
115 memset(dataBuffer, 'A', 100-1);
116 dataBuffer[100-1] = '\0';
117 /* FIX: Set data pointer to the allocated memory buffer */
118 data = dataBuffer;
119 }
120 }
121 {
122 size_t i;
123 char dest[100];
124 memset(dest, 'C', 100-1); /* fill with 'C's */
125 dest[100-1] = '\0'; /* null terminate */
126 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
127 for (i = 0; i < 100; i++)
128 {
129 dest[i] = data[i];
130 }
131 /* Ensure null termination */
132 dest[100-1] = '\0';
133 printLine(dest);
134 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
135 * returned by malloc() so can't safely call free() on it */
136 }
137}
138
139void CWE127_Buffer_Underread__malloc_char_loop_07_good()
140{
141 goodG2B1();
142 goodG2B2();
143}
144
145#endif /* OMITGOOD */
146
147/* Below is the main(). It is only used when building this testcase on
148 * its own for testing or for building a binary to use in testing binary
149 * analysis tools. It is not used when compiling all the testcases as one
150 * application, which is how source code analysis tools are tested.
151 */
152
153#ifdef INCLUDEMAIN
154
155int main(int argc, char * argv[])
156{
157 /* seed randomness */
158 srand( (unsigned)time(NULL) );
159#ifndef OMITGOOD
160 printLine("Calling good()...");
161 CWE127_Buffer_Underread__malloc_char_loop_07_good();
162 printLine("Finished good()");
163#endif /* OMITGOOD */
164#ifndef OMITBAD
165 printLine("Calling bad()...");
166 CWE127_Buffer_Underread__malloc_char_loop_07_bad();
167 printLine("Finished bad()");
168#endif /* OMITBAD */
169 return 0;
170}
171
172#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7713: CWE126_Buffer_Overread__new_char_loop_01.cpp

Nodes: 17 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__new_char_loop_01.cpp
3Label Definition File: CWE126_Buffer_Overread__new.label.xml
4Template File: sources-sink-01.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Use a small buffer
10 * GoodSource: Use a large buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 01 Baseline
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE126_Buffer_Overread__new_char_loop_01
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 char * data;
29 data = NULL;
30 /* FLAW: Use a small buffer */
31 data = new char[50];
32 memset(data, 'A', 50-1); /* fill with 'A's */
33 data[50-1] = '\0'; /* null terminate */
34 {
35 size_t i, destLen;
36 char dest[100];
37 memset(dest, 'C', 100-1);
38 dest[100-1] = '\0'; /* null terminate */
39 destLen = strlen(dest);
40 /* POTENTIAL FLAW: using length of the dest where data
41 * could be smaller than dest causing buffer overread */
42 for (i = 0; i < destLen; i++)
43 {
44 dest[i] = data[i];❗VULN
45 }
46 dest[100-1] = '\0';
47 printLine(dest);
48 delete [] data;
49 }
50}
51
52#endif /* OMITBAD */
53
54#ifndef OMITGOOD
55
56/* goodG2B uses the GoodSource with the BadSink */
57static void goodG2B()
58{
59 char * data;
60 data = NULL;
61 /* FIX: Use a large buffer */
62 data = new char[100];
63 memset(data, 'A', 100-1); /* fill with 'A's */
64 data[100-1] = '\0'; /* null terminate */
65 {
66 size_t i, destLen;
67 char dest[100];
68 memset(dest, 'C', 100-1);
69 dest[100-1] = '\0'; /* null terminate */
70 destLen = strlen(dest);
71 /* POTENTIAL FLAW: using length of the dest where data
72 * could be smaller than dest causing buffer overread */
73 for (i = 0; i < destLen; i++)
74 {
75 dest[i] = data[i];
76 }
77 dest[100-1] = '\0';
78 printLine(dest);
79 delete [] data;
80 }
81}
82
83void good()
84{
85 goodG2B();
86}
87
88#endif /* OMITGOOD */
89
90} /* close namespace */
91
92/* Below is the main(). It is only used when building this testcase on
93 its own for testing or for building a binary to use in testing binary
94 analysis tools. It is not used when compiling all the testcases as one
95 application, which is how source code analysis tools are tested. */
96
97#ifdef INCLUDEMAIN
98
99using namespace CWE126_Buffer_Overread__new_char_loop_01; /* so that we can use good and bad easily */
100
101int main(int argc, char * argv[])
102{
103 /* seed randomness */
104 srand( (unsigned)time(NULL) );
105#ifndef OMITGOOD
106 printLine("Calling good()...");
107 good();
108 printLine("Finished good()");
109#endif /* OMITGOOD */
110#ifndef OMITBAD
111 printLine("Calling bad()...");
112 bad();
113 printLine("Finished bad()");
114#endif /* OMITBAD */
115 return 0;
116}
117
118#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8915: CWE127_Buffer_Underread__malloc_char_loop_42.c

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_char_loop_42.c
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-42.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 42 Data flow: data returned from one function to another in the same source file
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23static char * badSource(char * data)
24{
25 {
26 char * dataBuffer = (char *)malloc(100*sizeof(char));
27 if (dataBuffer == NULL) {exit(-1);}
28 memset(dataBuffer, 'A', 100-1);
29 dataBuffer[100-1] = '\0';
30 /* FLAW: Set data pointer to before the allocated memory buffer */
31 data = dataBuffer - 8;
32 }
33 return data;
34}
35
36void CWE127_Buffer_Underread__malloc_char_loop_42_bad()
37{
38 char * data;
39 data = NULL;
40 data = badSource(data);
41 {
42 size_t i;
43 char dest[100];
44 memset(dest, 'C', 100-1); /* fill with 'C's */
45 dest[100-1] = '\0'; /* null terminate */
46 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
47 for (i = 0; i < 100; i++)
48 {
49 dest[i] = data[i];❗VULN
50 }
51 /* Ensure null termination */
52 dest[100-1] = '\0';
53 printLine(dest);
54 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
55 * returned by malloc() so can't safely call free() on it */
56 }
57}
58
59#endif /* OMITBAD */
60
61#ifndef OMITGOOD
62
63static char * goodG2BSource(char * data)
64{
65 {
66 char * dataBuffer = (char *)malloc(100*sizeof(char));
67 if (dataBuffer == NULL) {exit(-1);}
68 memset(dataBuffer, 'A', 100-1);
69 dataBuffer[100-1] = '\0';
70 /* FIX: Set data pointer to the allocated memory buffer */
71 data = dataBuffer;
72 }
73 return data;
74}
75
76/* goodG2B uses the GoodSource with the BadSink */
77static void goodG2B()
78{
79 char * data;
80 data = NULL;
81 data = goodG2BSource(data);
82 {
83 size_t i;
84 char dest[100];
85 memset(dest, 'C', 100-1); /* fill with 'C's */
86 dest[100-1] = '\0'; /* null terminate */
87 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
88 for (i = 0; i < 100; i++)
89 {
90 dest[i] = data[i];
91 }
92 /* Ensure null termination */
93 dest[100-1] = '\0';
94 printLine(dest);
95 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
96 * returned by malloc() so can't safely call free() on it */
97 }
98}
99
100void CWE127_Buffer_Underread__malloc_char_loop_42_good()
101{
102 goodG2B();
103}
104
105#endif /* OMITGOOD */
106
107/* Below is the main(). It is only used when building this testcase on
108 * its own for testing or for building a binary to use in testing binary
109 * analysis tools. It is not used when compiling all the testcases as one
110 * application, which is how source code analysis tools are tested.
111 */
112
113#ifdef INCLUDEMAIN
114
115int main(int argc, char * argv[])
116{
117 /* seed randomness */
118 srand( (unsigned)time(NULL) );
119#ifndef OMITGOOD
120 printLine("Calling good()...");
121 CWE127_Buffer_Underread__malloc_char_loop_42_good();
122 printLine("Finished good()");
123#endif /* OMITGOOD */
124#ifndef OMITBAD
125 printLine("Calling bad()...");
126 CWE127_Buffer_Underread__malloc_char_loop_42_bad();
127 printLine("Finished bad()");
128#endif /* OMITBAD */
129 return 0;
130}
131
132#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4797: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_ncpy_34.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_ncpy_34.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml
4Template File: sources-sink-34.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 * GoodSource: Allocate enough memory for a string and the NULL terminator
11 * Sinks: ncpy
12 * BadSink : Copy string to data using strncpy()
13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING "AAAAAAAAAA"
25
26typedef union
27{
28 char * unionFirst;
29 char * unionSecond;
30} CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_ncpy_34_unionType;
31
32#ifndef OMITBAD
33
34void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_ncpy_34_bad()
35{
36 char * data;
37 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_ncpy_34_unionType myUnion;
38 data = NULL;
39 /* FLAW: Did not leave space for a null terminator */
40 data = (char *)malloc(10*sizeof(char));
41 if (data == NULL) {exit(-1);}
42 myUnion.unionFirst = data;
43 {
44 char * data = myUnion.unionSecond;
45 {
46 char source[10+1] = SRC_STRING;
47 /* Copy length + 1 to include NUL terminator from source */
48 /* POTENTIAL FLAW: data may not have enough space to hold source */
49 strncpy(data, source, strlen(source) + 1);❗VULN
50 printLine(data);
51 free(data);
52 }
53 }
54}
55
56#endif /* OMITBAD */
57
58#ifndef OMITGOOD
59
60/* goodG2B() uses the GoodSource with the BadSink */
61static void goodG2B()
62{
63 char * data;
64 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_ncpy_34_unionType myUnion;
65 data = NULL;
66 /* FIX: Allocate space for a null terminator */
67 data = (char *)malloc((10+1)*sizeof(char));
68 if (data == NULL) {exit(-1);}
69 myUnion.unionFirst = data;
70 {
71 char * data = myUnion.unionSecond;
72 {
73 char source[10+1] = SRC_STRING;
74 /* Copy length + 1 to include NUL terminator from source */
75 /* POTENTIAL FLAW: data may not have enough space to hold source */
76 strncpy(data, source, strlen(source) + 1);
77 printLine(data);
78 free(data);
79 }
80 }
81}
82
83void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_ncpy_34_good()
84{
85 goodG2B();
86}
87
88#endif /* OMITGOOD */
89
90/* Below is the main(). It is only used when building this testcase on
91 * its own for testing or for building a binary to use in testing binary
92 * analysis tools. It is not used when compiling all the testcases as one
93 * application, which is how source code analysis tools are tested.
94 */
95#ifdef INCLUDEMAIN
96
97int main(int argc, char * argv[])
98{
99 /* seed randomness */
100 srand( (unsigned)time(NULL) );
101#ifndef OMITGOOD
102 printLine("Calling good()...");
103 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_ncpy_34_good();
104 printLine("Finished good()");
105#endif /* OMITGOOD */
106#ifndef OMITBAD
107 printLine("Calling bad()...");
108 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_ncpy_34_bad();
109 printLine("Finished bad()");
110#endif /* OMITBAD */
111 return 0;
112}
113
114#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2363: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_ncat_03.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_ncat_03.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml
4Template File: sources-sink-03.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: ncat
12 * BadSink : Copy data to string using strncat
13 * Flow Variant: 03 Control flow: if(5==5) and if(5!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_ncat_03_bad()
24{
25 char * data;
26 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
27 data = dataBuffer;
28 if(5==5)
29 {
30 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
31 memset(data, 'A', 100-1); /* fill with 'A's */
32 data[100-1] = '\0'; /* null terminate */
33 }
34 {
35 char dest[50] = "";
36 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/
37 strncat(dest, data, strlen(data));❗VULN
38 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
39 printLine(data);
40 }
41}
42
43#endif /* OMITBAD */
44
45#ifndef OMITGOOD
46
47/* goodG2B1() - use goodsource and badsink by changing the 5==5 to 5!=5 */
48static void goodG2B1()
49{
50 char * data;
51 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
52 data = dataBuffer;
53 if(5!=5)
54 {
55 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
56 printLine("Benign, fixed string");
57 }
58 else
59 {
60 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
61 memset(data, 'A', 50-1); /* fill with 'A's */
62 data[50-1] = '\0'; /* null terminate */
63 }
64 {
65 char dest[50] = "";
66 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/
67 strncat(dest, data, strlen(data));
68 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
69 printLine(data);
70 }
71}
72
73/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
74static void goodG2B2()
75{
76 char * data;
77 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
78 data = dataBuffer;
79 if(5==5)
80 {
81 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
82 memset(data, 'A', 50-1); /* fill with 'A's */
83 data[50-1] = '\0'; /* null terminate */
84 }
85 {
86 char dest[50] = "";
87 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/
88 strncat(dest, data, strlen(data));
89 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
90 printLine(data);
91 }
92}
93
94void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_ncat_03_good()
95{
96 goodG2B1();
97 goodG2B2();
98}
99
100#endif /* OMITGOOD */
101
102/* Below is the main(). It is only used when building this testcase on
103 * its own for testing or for building a binary to use in testing binary
104 * analysis tools. It is not used when compiling all the testcases as one
105 * application, which is how source code analysis tools are tested.
106 */
107
108#ifdef INCLUDEMAIN
109
110int main(int argc, char * argv[])
111{
112 /* seed randomness */
113 srand( (unsigned)time(NULL) );
114#ifndef OMITGOOD
115 printLine("Calling good()...");
116 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_ncat_03_good();
117 printLine("Finished good()");
118#endif /* OMITGOOD */
119#ifndef OMITBAD
120 printLine("Calling bad()...");
121 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_ncat_03_bad();
122 printLine("Finished bad()");
123#endif /* OMITBAD */
124 return 0;
125}
126
127#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8550: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_ncat_11.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_ncat_11.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-11.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: ncat
12 * BadSink : Copy string to data using wcsncat
13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_ncat_11_bad()
24{
25 wchar_t * data;
26 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
27 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
28 if(globalReturnsTrue())
29 {
30 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
31 * buffer in various memory copying functions using a "large" source buffer. */
32 data = dataBadBuffer;
33 data[0] = L'\0'; /* null terminate */
34 }
35 {
36 wchar_t source[100];
37 wmemset(source, L'C', 100-1); /* fill with L'C's */
38 source[100-1] = L'\0'; /* null terminate */
39 /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */
40 wcsncat(data, source, 100);❗VULN
41 printWLine(data);
42 }
43}
44
45#endif /* OMITBAD */
46
47#ifndef OMITGOOD
48
49/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */
50static void goodG2B1()
51{
52 wchar_t * data;
53 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
54 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
55 if(globalReturnsFalse())
56 {
57 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
58 printLine("Benign, fixed string");
59 }
60 else
61 {
62 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
63 data = dataGoodBuffer;
64 data[0] = L'\0'; /* null terminate */
65 }
66 {
67 wchar_t source[100];
68 wmemset(source, L'C', 100-1); /* fill with L'C's */
69 source[100-1] = L'\0'; /* null terminate */
70 /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */
71 wcsncat(data, source, 100);
72 printWLine(data);
73 }
74}
75
76/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
77static void goodG2B2()
78{
79 wchar_t * data;
80 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
81 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
82 if(globalReturnsTrue())
83 {
84 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
85 data = dataGoodBuffer;
86 data[0] = L'\0'; /* null terminate */
87 }
88 {
89 wchar_t source[100];
90 wmemset(source, L'C', 100-1); /* fill with L'C's */
91 source[100-1] = L'\0'; /* null terminate */
92 /* POTENTIAL FLAW: Possible buffer overflow if the sizeof(data)-strlen(data) is less than the length of source */
93 wcsncat(data, source, 100);
94 printWLine(data);
95 }
96}
97
98void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_ncat_11_good()
99{
100 goodG2B1();
101 goodG2B2();
102}
103
104#endif /* OMITGOOD */
105
106/* Below is the main(). It is only used when building this testcase on
107 * its own for testing or for building a binary to use in testing binary
108 * analysis tools. It is not used when compiling all the testcases as one
109 * application, which is how source code analysis tools are tested.
110 */
111
112#ifdef INCLUDEMAIN
113
114int main(int argc, char * argv[])
115{
116 /* seed randomness */
117 srand( (unsigned)time(NULL) );
118#ifndef OMITGOOD
119 printLine("Calling good()...");
120 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_ncat_11_good();
121 printLine("Finished good()");
122#endif /* OMITGOOD */
123#ifndef OMITBAD
124 printLine("Calling bad()...");
125 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_ncat_11_bad();
126 printLine("Finished bad()");
127#endif /* OMITBAD */
128 return 0;
129}
130
131#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8945: CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_06.c

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_06.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__src.label.xml
4Template File: sources-sink-06.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: cat
12 * BadSink : Copy data to string using strcat
13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is declared "const", so a tool should be able
22 * to identify that reads of this will always give its initialized value. */
23static const int STATIC_CONST_FIVE = 5;
24
25#ifndef OMITBAD
26
27void CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_06_bad()
28{
29 char * data;
30 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
31 data = dataBuffer;
32 if(STATIC_CONST_FIVE==5)
33 {
34 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
35 memset(data, 'A', 100-1); /* fill with 'A's */
36 data[100-1] = '\0'; /* null terminate */
37 }
38 {
39 char dest[50] = "";
40 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/
41 strcat(dest, data);❗VULN
42 printLine(data);
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */
51static void goodG2B1()
52{
53 char * data;
54 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
55 data = dataBuffer;
56 if(STATIC_CONST_FIVE!=5)
57 {
58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
59 printLine("Benign, fixed string");
60 }
61 else
62 {
63 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
64 memset(data, 'A', 50-1); /* fill with 'A's */
65 data[50-1] = '\0'; /* null terminate */
66 }
67 {
68 char dest[50] = "";
69 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/
70 strcat(dest, data);
71 printLine(data);
72 }
73}
74
75/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
76static void goodG2B2()
77{
78 char * data;
79 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
80 data = dataBuffer;
81 if(STATIC_CONST_FIVE==5)
82 {
83 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
84 memset(data, 'A', 50-1); /* fill with 'A's */
85 data[50-1] = '\0'; /* null terminate */
86 }
87 {
88 char dest[50] = "";
89 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/
90 strcat(dest, data);
91 printLine(data);
92 }
93}
94
95void CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_06_good()
96{
97 goodG2B1();
98 goodG2B2();
99}
100
101#endif /* OMITGOOD */
102
103/* Below is the main(). It is only used when building this testcase on
104 * its own for testing or for building a binary to use in testing binary
105 * analysis tools. It is not used when compiling all the testcases as one
106 * application, which is how source code analysis tools are tested.
107 */
108
109#ifdef INCLUDEMAIN
110
111int main(int argc, char * argv[])
112{
113 /* seed randomness */
114 srand( (unsigned)time(NULL) );
115#ifndef OMITGOOD
116 printLine("Calling good()...");
117 CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_06_good();
118 printLine("Finished good()");
119#endif /* OMITGOOD */
120#ifndef OMITBAD
121 printLine("Calling bad()...");
122 CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cat_06_bad();
123 printLine("Finished bad()");
124#endif /* OMITBAD */
125 return 0;
126}
127
128#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8933: CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22b.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22b.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE129.label.xml
4Template File: sources-sinks-22b.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: fscanf Read data from the console using fscanf()
10 * GoodSource: Larger than zero but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the upper bound
14 * Flow Variant: 22 Control flow: Flow controlled by value of a global variable. Sink functions are in a separate file from sources.
15 *
16 * */
17
18#include "std_testcase.h"
19
20#ifndef OMITBAD
21
22/* The global variable below is used to drive control flow in the sink function */
23extern int CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_badGlobal;
24
25void CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_badSink(int data)
26{
27 if(CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_badGlobal)
28 {
29 {
30 int i;
31 int buffer[10] = { 0 };
32 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
33 * This code does check to see if the array index is negative */
34 if (data >= 0)
35 {
36 buffer[data] = 1;❗VULN
37 /* Print the array values */
38 for(i = 0; i < 10; i++)
39 {
40 printIntLine(buffer[i]);
41 }
42 }
43 else
44 {
45 printLine("ERROR: Array index is negative.");
46 }
47 }
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* The global variables below are used to drive control flow in the sink functions. */
56extern int CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodB2G1Global;
57extern int CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodB2G2Global;
58extern int CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodG2BGlobal;
59
60/* goodB2G1() - use badsource and goodsink by setting the static variable to false instead of true */
61void CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodB2G1Sink(int data)
62{
63 if(CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodB2G1Global)
64 {
65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
66 printLine("Benign, fixed string");
67 }
68 else
69 {
70 {
71 int i;
72 int buffer[10] = { 0 };
73 /* FIX: Properly validate the array index and prevent a buffer overflow */
74 if (data >= 0 && data < (10))
75 {
76 buffer[data] = 1;
77 /* Print the array values */
78 for(i = 0; i < 10; i++)
79 {
80 printIntLine(buffer[i]);
81 }
82 }
83 else
84 {
85 printLine("ERROR: Array index is out-of-bounds");
86 }
87 }
88 }
89}
90
91/* goodB2G2() - use badsource and goodsink by reversing the blocks in the if in the sink function */
92void CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodB2G2Sink(int data)
93{
94 if(CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodB2G2Global)
95 {
96 {
97 int i;
98 int buffer[10] = { 0 };
99 /* FIX: Properly validate the array index and prevent a buffer overflow */
100 if (data >= 0 && data < (10))
101 {
102 buffer[data] = 1;
103 /* Print the array values */
104 for(i = 0; i < 10; i++)
105 {
106 printIntLine(buffer[i]);
107 }
108 }
109 else
110 {
111 printLine("ERROR: Array index is out-of-bounds");
112 }
113 }
114 }
115}
116
117/* goodG2B() - use goodsource and badsink */
118void CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodG2BSink(int data)
119{
120 if(CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_22_goodG2BGlobal)
121 {
122 {
123 int i;
124 int buffer[10] = { 0 };
125 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
126 * This code does check to see if the array index is negative */
127 if (data >= 0)
128 {
129 buffer[data] = 1;
130 /* Print the array values */
131 for(i = 0; i < 10; i++)
132 {
133 printIntLine(buffer[i]);
134 }
135 }
136 else
137 {
138 printLine("ERROR: Array index is negative.");
139 }
140 }
141 }
142}
143
144#endif /* OMITGOOD */

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7193: CWE127_Buffer_Underread__malloc_char_cpy_03.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_char_cpy_03.c
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-03.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: cpy
12 * BadSink : Copy data to string using strcpy
13 * Flow Variant: 03 Control flow: if(5==5) and if(5!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__malloc_char_cpy_03_bad()
24{
25 char * data;
26 data = NULL;
27 if(5==5)
28 {
29 {
30 char * dataBuffer = (char *)malloc(100*sizeof(char));
31 if (dataBuffer == NULL) {exit(-1);}
32 memset(dataBuffer, 'A', 100-1);
33 dataBuffer[100-1] = '\0';
34 /* FLAW: Set data pointer to before the allocated memory buffer */
35 data = dataBuffer - 8;
36 }
37 }
38 {
39 char dest[100*2];
40 memset(dest, 'C', 100*2-1); /* fill with 'C's */
41 dest[100*2-1] = '\0'; /* null terminate */
42 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
43 strcpy(dest, data);❗VULN
44 printLine(dest);
45 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
46 * returned by malloc() so can't safely call free() on it */
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* goodG2B1() - use goodsource and badsink by changing the 5==5 to 5!=5 */
55static void goodG2B1()
56{
57 char * data;
58 data = NULL;
59 if(5!=5)
60 {
61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
62 printLine("Benign, fixed string");
63 }
64 else
65 {
66 {
67 char * dataBuffer = (char *)malloc(100*sizeof(char));
68 if (dataBuffer == NULL) {exit(-1);}
69 memset(dataBuffer, 'A', 100-1);
70 dataBuffer[100-1] = '\0';
71 /* FIX: Set data pointer to the allocated memory buffer */
72 data = dataBuffer;
73 }
74 }
75 {
76 char dest[100*2];
77 memset(dest, 'C', 100*2-1); /* fill with 'C's */
78 dest[100*2-1] = '\0'; /* null terminate */
79 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
80 strcpy(dest, data);
81 printLine(dest);
82 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
83 * returned by malloc() so can't safely call free() on it */
84 }
85}
86
87/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
88static void goodG2B2()
89{
90 char * data;
91 data = NULL;
92 if(5==5)
93 {
94 {
95 char * dataBuffer = (char *)malloc(100*sizeof(char));
96 if (dataBuffer == NULL) {exit(-1);}
97 memset(dataBuffer, 'A', 100-1);
98 dataBuffer[100-1] = '\0';
99 /* FIX: Set data pointer to the allocated memory buffer */
100 data = dataBuffer;
101 }
102 }
103 {
104 char dest[100*2];
105 memset(dest, 'C', 100*2-1); /* fill with 'C's */
106 dest[100*2-1] = '\0'; /* null terminate */
107 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
108 strcpy(dest, data);
109 printLine(dest);
110 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
111 * returned by malloc() so can't safely call free() on it */
112 }
113}
114
115void CWE127_Buffer_Underread__malloc_char_cpy_03_good()
116{
117 goodG2B1();
118 goodG2B2();
119}
120
121#endif /* OMITGOOD */
122
123/* Below is the main(). It is only used when building this testcase on
124 * its own for testing or for building a binary to use in testing binary
125 * analysis tools. It is not used when compiling all the testcases as one
126 * application, which is how source code analysis tools are tested.
127 */
128
129#ifdef INCLUDEMAIN
130
131int main(int argc, char * argv[])
132{
133 /* seed randomness */
134 srand( (unsigned)time(NULL) );
135#ifndef OMITGOOD
136 printLine("Calling good()...");
137 CWE127_Buffer_Underread__malloc_char_cpy_03_good();
138 printLine("Finished good()");
139#endif /* OMITGOOD */
140#ifndef OMITBAD
141 printLine("Calling bad()...");
142 CWE127_Buffer_Underread__malloc_char_cpy_03_bad();
143 printLine("Finished bad()");
144#endif /* OMITBAD */
145 return 0;
146}
147
148#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9221: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_memcpy_09.cpp

Nodes: 8 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_memcpy_09.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193.label.xml
4Template File: sources-sink-09.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 * GoodSource: Allocate enough memory for a string and the NULL terminator
11 * Sink: memcpy
12 * BadSink : Copy string to data using memcpy()
13 * Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING "AAAAAAAAAA"
25
26namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_memcpy_09
27{
28
29#ifndef OMITBAD
30
31void bad()
32{
33 char * data;
34 data = NULL;
35 if(GLOBAL_CONST_TRUE)
36 {
37 /* FLAW: Did not leave space for a null terminator */
38 data = new char[10];
39 }
40 {
41 char source[10+1] = SRC_STRING;
42 /* Copy length + 1 to include NUL terminator from source */
43 /* POTENTIAL FLAW: data may not have enough space to hold source */
44 memcpy(data, source, (strlen(source) + 1) * sizeof(char));❗VULN
45 printLine(data);
46 delete [] data;
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */
55static void goodG2B1()
56{
57 char * data;
58 data = NULL;
59 if(GLOBAL_CONST_FALSE)
60 {
61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
62 printLine("Benign, fixed string");
63 }
64 else
65 {
66 /* FIX: Allocate space for a null terminator */
67 data = new char[10+1];
68 }
69 {
70 char source[10+1] = SRC_STRING;
71 /* Copy length + 1 to include NUL terminator from source */
72 /* POTENTIAL FLAW: data may not have enough space to hold source */
73 memcpy(data, source, (strlen(source) + 1) * sizeof(char));
74 printLine(data);
75 delete [] data;
76 }
77}
78
79/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
80static void goodG2B2()
81{
82 char * data;
83 data = NULL;
84 if(GLOBAL_CONST_TRUE)
85 {
86 /* FIX: Allocate space for a null terminator */
87 data = new char[10+1];
88 }
89 {
90 char source[10+1] = SRC_STRING;
91 /* Copy length + 1 to include NUL terminator from source */
92 /* POTENTIAL FLAW: data may not have enough space to hold source */
93 memcpy(data, source, (strlen(source) + 1) * sizeof(char));
94 printLine(data);
95 delete [] data;
96 }
97}
98
99void good()
100{
101 goodG2B1();
102 goodG2B2();
103}
104
105#endif /* OMITGOOD */
106
107} /* close namespace */
108
109/* Below is the main(). It is only used when building this testcase on
110 its own for testing or for building a binary to use in testing binary
111 analysis tools. It is not used when compiling all the testcases as one
112 application, which is how source code analysis tools are tested. */
113
114#ifdef INCLUDEMAIN
115
116using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_memcpy_09; /* so that we can use good and bad easily */
117
118int main(int argc, char * argv[])
119{
120 /* seed randomness */
121 srand( (unsigned)time(NULL) );
122#ifndef OMITGOOD
123 printLine("Calling good()...");
124 good();
125 printLine("Finished good()");
126#endif /* OMITGOOD */
127#ifndef OMITBAD
128 printLine("Calling bad()...");
129 bad();
130 printLine("Finished bad()");
131#endif /* OMITBAD */
132 return 0;
133}
134
135#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2477: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_loop_13.cpp

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_loop_13.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193.label.xml
4Template File: sources-sink-13.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 * GoodSource: Allocate enough memory for a string and the NULL terminator
11 * Sink: loop
12 * BadSink : Copy array to data using a loop
13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING "AAAAAAAAAA"
25
26namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_loop_13
27{
28
29#ifndef OMITBAD
30
31void bad()
32{
33 char * data;
34 data = NULL;
35 if(GLOBAL_CONST_FIVE==5)
36 {
37 /* FLAW: Did not leave space for a null terminator */
38 data = new char[10];
39 }
40 {
41 char source[10+1] = SRC_STRING;
42 size_t i, sourceLen;
43 sourceLen = strlen(source);
44 /* Copy length + 1 to include NUL terminator from source */
45 /* POTENTIAL FLAW: data may not have enough space to hold source */
46 for (i = 0; i < sourceLen + 1; i++)
47 {
48 data[i] = source[i];❗VULN
49 }
50 printLine(data);
51 delete [] data;
52 }
53}
54
55#endif /* OMITBAD */
56
57#ifndef OMITGOOD
58
59/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */
60static void goodG2B1()
61{
62 char * data;
63 data = NULL;
64 if(GLOBAL_CONST_FIVE!=5)
65 {
66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
67 printLine("Benign, fixed string");
68 }
69 else
70 {
71 /* FIX: Allocate space for a null terminator */
72 data = new char[10+1];
73 }
74 {
75 char source[10+1] = SRC_STRING;
76 size_t i, sourceLen;
77 sourceLen = strlen(source);
78 /* Copy length + 1 to include NUL terminator from source */
79 /* POTENTIAL FLAW: data may not have enough space to hold source */
80 for (i = 0; i < sourceLen + 1; i++)
81 {
82 data[i] = source[i];
83 }
84 printLine(data);
85 delete [] data;
86 }
87}
88
89/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
90static void goodG2B2()
91{
92 char * data;
93 data = NULL;
94 if(GLOBAL_CONST_FIVE==5)
95 {
96 /* FIX: Allocate space for a null terminator */
97 data = new char[10+1];
98 }
99 {
100 char source[10+1] = SRC_STRING;
101 size_t i, sourceLen;
102 sourceLen = strlen(source);
103 /* Copy length + 1 to include NUL terminator from source */
104 /* POTENTIAL FLAW: data may not have enough space to hold source */
105 for (i = 0; i < sourceLen + 1; i++)
106 {
107 data[i] = source[i];
108 }
109 printLine(data);
110 delete [] data;
111 }
112}
113
114void good()
115{
116 goodG2B1();
117 goodG2B2();
118}
119
120#endif /* OMITGOOD */
121
122} /* close namespace */
123
124/* Below is the main(). It is only used when building this testcase on
125 its own for testing or for building a binary to use in testing binary
126 analysis tools. It is not used when compiling all the testcases as one
127 application, which is how source code analysis tools are tested. */
128
129#ifdef INCLUDEMAIN
130
131using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE193_char_loop_13; /* so that we can use good and bad easily */
132
133int main(int argc, char * argv[])
134{
135 /* seed randomness */
136 srand( (unsigned)time(NULL) );
137#ifndef OMITGOOD
138 printLine("Calling good()...");
139 good();
140 printLine("Finished good()");
141#endif /* OMITGOOD */
142#ifndef OMITBAD
143 printLine("Calling bad()...");
144 bad();
145 printLine("Finished bad()");
146#endif /* OMITBAD */
147 return 0;
148}
149
150#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6104: CWE124_Buffer_Underwrite__CWE839_rand_15.c

Nodes: 24 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__CWE839_rand_15.c
3Label Definition File: CWE124_Buffer_Underwrite__CWE839.label.xml
4Template File: sources-sinks-15.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: rand Set data to result of rand(), which may be zero
10 * GoodSource: Non-negative but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the lower bound
14 * Flow Variant: 15 Control flow: switch(6) and switch(7)
15 *
16 * */
17
18#include "std_testcase.h"
19
20#ifndef OMITBAD
21
22void CWE124_Buffer_Underwrite__CWE839_rand_15_bad()
23{
24 int data;
25 /* Initialize data */
26 data = -1;
27 switch(6)
28 {
29 case 6:
30 /* POTENTIAL FLAW: Set data to a random value */
31 data = RAND32();
32 break;
33 default:
34 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
35 printLine("Benign, fixed string");
36 break;
37 }
38 switch(7)
39 {
40 case 7:
41 {
42 int i;
43 int buffer[10] = { 0 };
44 /* POTENTIAL FLAW: Attempt to access a negative index of the array
45 * This code does not check to see if the array index is negative */
46 if (data < 10)
47 {
48 buffer[data] = 1;❗VULN
49 /* Print the array values */
50 for(i = 0; i < 10; i++)
51 {
52 printIntLine(buffer[i]);
53 }
54 }
55 else
56 {
57 printLine("ERROR: Array index is negative.");
58 }
59 }
60 break;
61 default:
62 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
63 printLine("Benign, fixed string");
64 break;
65 }
66}
67
68#endif /* OMITBAD */
69
70#ifndef OMITGOOD
71
72/* goodB2G1() - use badsource and goodsink by changing the second switch to switch(8) */
73static void goodB2G1()
74{
75 int data;
76 /* Initialize data */
77 data = -1;
78 switch(6)
79 {
80 case 6:
81 /* POTENTIAL FLAW: Set data to a random value */
82 data = RAND32();
83 break;
84 default:
85 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
86 printLine("Benign, fixed string");
87 break;
88 }
89 switch(8)
90 {
91 case 7:
92 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
93 printLine("Benign, fixed string");
94 break;
95 default:
96 {
97 int i;
98 int buffer[10] = { 0 };
99 /* FIX: Properly validate the array index and prevent a buffer underwrite */
100 if (data >= 0 && data < (10))
101 {
102 buffer[data] = 1;
103 /* Print the array values */
104 for(i = 0; i < 10; i++)
105 {
106 printIntLine(buffer[i]);
107 }
108 }
109 else
110 {
111 printLine("ERROR: Array index is out-of-bounds");
112 }
113 }
114 break;
115 }
116}
117
118/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second switch */
119static void goodB2G2()
120{
121 int data;
122 /* Initialize data */
123 data = -1;
124 switch(6)
125 {
126 case 6:
127 /* POTENTIAL FLAW: Set data to a random value */
128 data = RAND32();
129 break;
130 default:
131 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
132 printLine("Benign, fixed string");
133 break;
134 }
135 switch(7)
136 {
137 case 7:
138 {
139 int i;
140 int buffer[10] = { 0 };
141 /* FIX: Properly validate the array index and prevent a buffer underwrite */
142 if (data >= 0 && data < (10))
143 {
144 buffer[data] = 1;
145 /* Print the array values */
146 for(i = 0; i < 10; i++)
147 {
148 printIntLine(buffer[i]);
149 }
150 }
151 else
152 {
153 printLine("ERROR: Array index is out-of-bounds");
154 }
155 }
156 break;
157 default:
158 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
159 printLine("Benign, fixed string");
160 break;
161 }
162}
163
164/* goodG2B1() - use goodsource and badsink by changing the first switch to switch(5) */
165static void goodG2B1()
166{
167 int data;
168 /* Initialize data */
169 data = -1;
170 switch(5)
171 {
172 case 6:
173 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
174 printLine("Benign, fixed string");
175 break;
176 default:
177 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
178 * access an index of the array in the sink that is out-of-bounds */
179 data = 7;
180 break;
181 }
182 switch(7)
183 {
184 case 7:
185 {
186 int i;
187 int buffer[10] = { 0 };
188 /* POTENTIAL FLAW: Attempt to access a negative index of the array
189 * This code does not check to see if the array index is negative */
190 if (data < 10)
191 {
192 buffer[data] = 1;
193 /* Print the array values */
194 for(i = 0; i < 10; i++)
195 {
196 printIntLine(buffer[i]);
197 }
198 }
199 else
200 {
201 printLine("ERROR: Array index is negative.");
202 }
203 }
204 break;
205 default:
206 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
207 printLine("Benign, fixed string");
208 break;
209 }
210}
211
212/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first switch */
213static void goodG2B2()
214{
215 int data;
216 /* Initialize data */
217 data = -1;
218 switch(6)
219 {
220 case 6:
221 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
222 * access an index of the array in the sink that is out-of-bounds */
223 data = 7;
224 break;
225 default:
226 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
227 printLine("Benign, fixed string");
228 break;
229 }
230 switch(7)
231 {
232 case 7:
233 {
234 int i;
235 int buffer[10] = { 0 };
236 /* POTENTIAL FLAW: Attempt to access a negative index of the array
237 * This code does not check to see if the array index is negative */
238 if (data < 10)
239 {
240 buffer[data] = 1;
241 /* Print the array values */
242 for(i = 0; i < 10; i++)
243 {
244 printIntLine(buffer[i]);
245 }
246 }
247 else
248 {
249 printLine("ERROR: Array index is negative.");
250 }
251 }
252 break;
253 default:
254 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
255 printLine("Benign, fixed string");
256 break;
257 }
258}
259
260void CWE124_Buffer_Underwrite__CWE839_rand_15_good()
261{
262 goodB2G1();
263 goodB2G2();
264 goodG2B1();
265 goodG2B2();
266}
267
268#endif /* OMITGOOD */
269
270/* Below is the main(). It is only used when building this testcase on
271 its own for testing or for building a binary to use in testing binary
272 analysis tools. It is not used when compiling all the testcases as one
273 application, which is how source code analysis tools are tested. */
274
275#ifdef INCLUDEMAIN
276
277int main(int argc, char * argv[])
278{
279 /* seed randomness */
280 srand( (unsigned)time(NULL) );
281#ifndef OMITGOOD
282 printLine("Calling good()...");
283 CWE124_Buffer_Underwrite__CWE839_rand_15_good();
284 printLine("Finished good()");
285#endif /* OMITGOOD */
286#ifndef OMITBAD
287 printLine("Calling bad()...");
288 CWE124_Buffer_Underwrite__CWE839_rand_15_bad();
289 printLine("Finished bad()");
290#endif /* OMITBAD */
291 return 0;
292}
293
294#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3847: CWE124_Buffer_Underwrite__char_declare_memmove_33.cpp

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__char_declare_memmove_33.cpp
3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml
4Template File: sources-sink-33.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sinks: memmove
12 * BadSink : Copy string to data using memmove
13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE124_Buffer_Underwrite__char_declare_memmove_33
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 char * data;
29 char * &dataRef = data;
30 char dataBuffer[100];
31 memset(dataBuffer, 'A', 100-1);
32 dataBuffer[100-1] = '\0';
33 /* FLAW: Set data pointer to before the allocated memory buffer */
34 data = dataBuffer - 8;
35 {
36 char * data = dataRef;
37 {
38 char source[100];
39 memset(source, 'C', 100-1); /* fill with 'C's */
40 source[100-1] = '\0'; /* null terminate */
41 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
42 memmove(data, source, 100*sizeof(char));❗VULN
43 /* Ensure the destination buffer is null terminated */
44 data[100-1] = '\0';
45 printLine(data);
46 }
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* goodG2B() uses the GoodSource with the BadSink */
55static void goodG2B()
56{
57 char * data;
58 char * &dataRef = data;
59 char dataBuffer[100];
60 memset(dataBuffer, 'A', 100-1);
61 dataBuffer[100-1] = '\0';
62 /* FIX: Set data pointer to the allocated memory buffer */
63 data = dataBuffer;
64 {
65 char * data = dataRef;
66 {
67 char source[100];
68 memset(source, 'C', 100-1); /* fill with 'C's */
69 source[100-1] = '\0'; /* null terminate */
70 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
71 memmove(data, source, 100*sizeof(char));
72 /* Ensure the destination buffer is null terminated */
73 data[100-1] = '\0';
74 printLine(data);
75 }
76 }
77}
78
79void good()
80{
81 goodG2B();
82}
83
84#endif /* OMITGOOD */
85
86} /* close namespace */
87
88/* Below is the main(). It is only used when building this testcase on
89 * its own for testing or for building a binary to use in testing binary
90 * analysis tools. It is not used when compiling all the testcases as one
91 * application, which is how source code analysis tools are tested.
92 */
93#ifdef INCLUDEMAIN
94
95using namespace CWE124_Buffer_Underwrite__char_declare_memmove_33; /* so that we can use good and bad easily */
96
97int main(int argc, char * argv[])
98{
99 /* seed randomness */
100 srand( (unsigned)time(NULL) );
101#ifndef OMITGOOD
102 printLine("Calling good()...");
103 good();
104 printLine("Finished good()");
105#endif /* OMITGOOD */
106#ifndef OMITBAD
107 printLine("Calling bad()...");
108 bad();
109 printLine("Finished bad()");
110#endif /* OMITBAD */
111 return 0;
112}
113
114#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6505: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncpy_07.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncpy_07.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml
4Template File: sources-sink-07.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: ncpy
12 * BadSink : Copy data to string using wcsncpy
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is not declared "const", but is never assigned
22 * any other value so a tool should be able to identify that reads of
23 * this will always give its initialized value.
24 */
25static int staticFive = 5;
26
27#ifndef OMITBAD
28
29void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncpy_07_bad()
30{
31 wchar_t * data;
32 data = (wchar_t *)malloc(100*sizeof(wchar_t));
33 if (data == NULL) {exit(-1);}
34 if(staticFive==5)
35 {
36 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
37 wmemset(data, L'A', 100-1); /* fill with L'A's */
38 data[100-1] = L'\0'; /* null terminate */
39 }
40 {
41 wchar_t dest[50] = L"";
42 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
43 wcsncpy(dest, data, wcslen(data));❗VULN
44 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
45 printWLine(data);
46 free(data);
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
55static void goodG2B1()
56{
57 wchar_t * data;
58 data = (wchar_t *)malloc(100*sizeof(wchar_t));
59 if (data == NULL) {exit(-1);}
60 if(staticFive!=5)
61 {
62 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
63 printLine("Benign, fixed string");
64 }
65 else
66 {
67 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
68 wmemset(data, L'A', 50-1); /* fill with L'A's */
69 data[50-1] = L'\0'; /* null terminate */
70 }
71 {
72 wchar_t dest[50] = L"";
73 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
74 wcsncpy(dest, data, wcslen(data));
75 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
76 printWLine(data);
77 free(data);
78 }
79}
80
81/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
82static void goodG2B2()
83{
84 wchar_t * data;
85 data = (wchar_t *)malloc(100*sizeof(wchar_t));
86 if (data == NULL) {exit(-1);}
87 if(staticFive==5)
88 {
89 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
90 wmemset(data, L'A', 50-1); /* fill with L'A's */
91 data[50-1] = L'\0'; /* null terminate */
92 }
93 {
94 wchar_t dest[50] = L"";
95 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
96 wcsncpy(dest, data, wcslen(data));
97 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
98 printWLine(data);
99 free(data);
100 }
101}
102
103void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncpy_07_good()
104{
105 goodG2B1();
106 goodG2B2();
107}
108
109#endif /* OMITGOOD */
110
111/* Below is the main(). It is only used when building this testcase on
112 * its own for testing or for building a binary to use in testing binary
113 * analysis tools. It is not used when compiling all the testcases as one
114 * application, which is how source code analysis tools are tested.
115 */
116
117#ifdef INCLUDEMAIN
118
119int main(int argc, char * argv[])
120{
121 /* seed randomness */
122 srand( (unsigned)time(NULL) );
123#ifndef OMITGOOD
124 printLine("Calling good()...");
125 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncpy_07_good();
126 printLine("Finished good()");
127#endif /* OMITGOOD */
128#ifndef OMITBAD
129 printLine("Calling bad()...");
130 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_ncpy_07_bad();
131 printLine("Finished bad()");
132#endif /* OMITBAD */
133 return 0;
134}
135
136#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8359: CWE124_Buffer_Underwrite__char_alloca_cpy_45.c

Nodes: 6 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__char_alloca_cpy_45.c
3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml
4Template File: sources-sink-45.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sinks: cpy
12 * BadSink : Copy string to data using strcpy
13 * Flow Variant: 45 Data flow: data passed as a static global variable from one function to another in the same source file
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21static char * CWE124_Buffer_Underwrite__char_alloca_cpy_45_badData;
22static char * CWE124_Buffer_Underwrite__char_alloca_cpy_45_goodG2BData;
23
24#ifndef OMITBAD
25
26static void badSink()
27{
28 char * data = CWE124_Buffer_Underwrite__char_alloca_cpy_45_badData;
29 {
30 char source[100];
31 memset(source, 'C', 100-1); /* fill with 'C's */
32 source[100-1] = '\0'; /* null terminate */
33 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
34 strcpy(data, source);❗VULN
35 printLine(data);
36 }
37}
38
39void CWE124_Buffer_Underwrite__char_alloca_cpy_45_bad()
40{
41 char * data;
42 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
43 memset(dataBuffer, 'A', 100-1);
44 dataBuffer[100-1] = '\0';
45 /* FLAW: Set data pointer to before the allocated memory buffer */
46 data = dataBuffer - 8;
47 CWE124_Buffer_Underwrite__char_alloca_cpy_45_badData = data;
48 badSink();
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B() uses the GoodSource with the BadSink */
56static void goodG2BSink()
57{
58 char * data = CWE124_Buffer_Underwrite__char_alloca_cpy_45_goodG2BData;
59 {
60 char source[100];
61 memset(source, 'C', 100-1); /* fill with 'C's */
62 source[100-1] = '\0'; /* null terminate */
63 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
64 strcpy(data, source);
65 printLine(data);
66 }
67}
68
69static void goodG2B()
70{
71 char * data;
72 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
73 memset(dataBuffer, 'A', 100-1);
74 dataBuffer[100-1] = '\0';
75 /* FIX: Set data pointer to the allocated memory buffer */
76 data = dataBuffer;
77 CWE124_Buffer_Underwrite__char_alloca_cpy_45_goodG2BData = data;
78 goodG2BSink();
79}
80
81void CWE124_Buffer_Underwrite__char_alloca_cpy_45_good()
82{
83 goodG2B();
84}
85
86#endif /* OMITGOOD */
87
88/* Below is the main(). It is only used when building this testcase on
89 * its own for testing or for building a binary to use in testing binary
90 * analysis tools. It is not used when compiling all the testcases as one
91 * application, which is how source code analysis tools are tested.
92 */
93#ifdef INCLUDEMAIN
94
95int main(int argc, char * argv[])
96{
97 /* seed randomness */
98 srand( (unsigned)time(NULL) );
99#ifndef OMITGOOD
100 printLine("Calling good()...");
101 CWE124_Buffer_Underwrite__char_alloca_cpy_45_good();
102 printLine("Finished good()");
103#endif /* OMITGOOD */
104#ifndef OMITBAD
105 printLine("Calling bad()...");
106 CWE124_Buffer_Underwrite__char_alloca_cpy_45_bad();
107 printLine("Finished bad()");
108#endif /* OMITBAD */
109 return 0;
110}
111
112#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9443: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_loop_18.c

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_loop_18.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml
4Template File: sources-sink-18.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 18 Control flow: goto statements
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_loop_18_bad()
24{
25 char * data;
26 char dataBuffer[100];
27 data = dataBuffer;
28 goto source;
29source:
30 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
31 memset(data, 'A', 100-1); /* fill with 'A's */
32 data[100-1] = '\0'; /* null terminate */
33 {
34 char dest[50] = "";
35 size_t i, dataLen;
36 dataLen = strlen(data);
37 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
38 for (i = 0; i < dataLen; i++)
39 {
40 dest[i] = data[i];❗VULN
41 }
42 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
43 printLine(data);
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
52static void goodG2B()
53{
54 char * data;
55 char dataBuffer[100];
56 data = dataBuffer;
57 goto source;
58source:
59 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
60 memset(data, 'A', 50-1); /* fill with 'A's */
61 data[50-1] = '\0'; /* null terminate */
62 {
63 char dest[50] = "";
64 size_t i, dataLen;
65 dataLen = strlen(data);
66 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
67 for (i = 0; i < dataLen; i++)
68 {
69 dest[i] = data[i];
70 }
71 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
72 printLine(data);
73 }
74}
75
76void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_loop_18_good()
77{
78 goodG2B();
79}
80
81#endif /* OMITGOOD */
82
83/* Below is the main(). It is only used when building this testcase on
84 * its own for testing or for building a binary to use in testing binary
85 * analysis tools. It is not used when compiling all the testcases as one
86 * application, which is how source code analysis tools are tested.
87 */
88
89#ifdef INCLUDEMAIN
90
91int main(int argc, char * argv[])
92{
93 /* seed randomness */
94 srand( (unsigned)time(NULL) );
95#ifndef OMITGOOD
96 printLine("Calling good()...");
97 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_loop_18_good();
98 printLine("Finished good()");
99#endif /* OMITGOOD */
100#ifndef OMITBAD
101 printLine("Calling bad()...");
102 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_loop_18_bad();
103 printLine("Finished bad()");
104#endif /* OMITBAD */
105 return 0;
106}
107
108#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1949: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_13.c

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_13.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4Template File: sources-sink-13.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sink: memmove
12 * BadSink : Copy twoIntsStruct array to data using memmove
13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_13_bad()
22{
23 twoIntsStruct * data;
24 data = NULL;
25 if(GLOBAL_CONST_FIVE==5)
26 {
27 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
28 data = (twoIntsStruct *)malloc(50*sizeof(twoIntsStruct));
29 if (data == NULL) {exit(-1);}
30 }
31 {
32 twoIntsStruct source[100];
33 {
34 size_t i;
35 /* Initialize array */
36 for (i = 0; i < 100; i++)
37 {
38 source[i].intOne = 0;
39 source[i].intTwo = 0;
40 }
41 }
42 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
43 memmove(data, source, 100*sizeof(twoIntsStruct));❗VULN
44 printStructLine(&data[0]);
45 free(data);
46 }
47}
48
49#endif /* OMITBAD */
50
51#ifndef OMITGOOD
52
53/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */
54static void goodG2B1()
55{
56 twoIntsStruct * data;
57 data = NULL;
58 if(GLOBAL_CONST_FIVE!=5)
59 {
60 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
61 printLine("Benign, fixed string");
62 }
63 else
64 {
65 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
66 data = (twoIntsStruct *)malloc(100*sizeof(twoIntsStruct));
67 if (data == NULL) {exit(-1);}
68 }
69 {
70 twoIntsStruct source[100];
71 {
72 size_t i;
73 /* Initialize array */
74 for (i = 0; i < 100; i++)
75 {
76 source[i].intOne = 0;
77 source[i].intTwo = 0;
78 }
79 }
80 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
81 memmove(data, source, 100*sizeof(twoIntsStruct));
82 printStructLine(&data[0]);
83 free(data);
84 }
85}
86
87/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
88static void goodG2B2()
89{
90 twoIntsStruct * data;
91 data = NULL;
92 if(GLOBAL_CONST_FIVE==5)
93 {
94 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
95 data = (twoIntsStruct *)malloc(100*sizeof(twoIntsStruct));
96 if (data == NULL) {exit(-1);}
97 }
98 {
99 twoIntsStruct source[100];
100 {
101 size_t i;
102 /* Initialize array */
103 for (i = 0; i < 100; i++)
104 {
105 source[i].intOne = 0;
106 source[i].intTwo = 0;
107 }
108 }
109 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
110 memmove(data, source, 100*sizeof(twoIntsStruct));
111 printStructLine(&data[0]);
112 free(data);
113 }
114}
115
116void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_13_good()
117{
118 goodG2B1();
119 goodG2B2();
120}
121
122#endif /* OMITGOOD */
123
124/* Below is the main(). It is only used when building this testcase on
125 * its own for testing or for building a binary to use in testing binary
126 * analysis tools. It is not used when compiling all the testcases as one
127 * application, which is how source code analysis tools are tested.
128 */
129
130#ifdef INCLUDEMAIN
131
132int main(int argc, char * argv[])
133{
134 /* seed randomness */
135 srand( (unsigned)time(NULL) );
136#ifndef OMITGOOD
137 printLine("Calling good()...");
138 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_13_good();
139 printLine("Finished good()");
140#endif /* OMITGOOD */
141#ifndef OMITBAD
142 printLine("Calling bad()...");
143 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_13_bad();
144 printLine("Finished bad()");
145#endif /* OMITBAD */
146 return 0;
147}
148
149#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5288: CWE126_Buffer_Overread__wchar_t_alloca_memmove_33.cpp

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__wchar_t_alloca_memmove_33.cpp
3Label Definition File: CWE126_Buffer_Overread.stack.label.xml
4Template File: sources-sink-33.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Set data pointer to a small buffer
10 * GoodSource: Set data pointer to a large buffer
11 * Sinks: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE126_Buffer_Overread__wchar_t_alloca_memmove_33
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 wchar_t * data;
29 wchar_t * &dataRef = data;
30 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
31 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
32 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */
33 dataBadBuffer[50-1] = L'\0'; /* null terminate */
34 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */
35 dataGoodBuffer[100-1] = L'\0'; /* null terminate */
36 /* FLAW: Set data pointer to a small buffer */
37 data = dataBadBuffer;
38 {
39 wchar_t * data = dataRef;
40 {
41 wchar_t dest[100];
42 wmemset(dest, L'C', 100-1);
43 dest[100-1] = L'\0'; /* null terminate */
44 /* POTENTIAL FLAW: using memmove with the length of the dest where data
45 * could be smaller than dest causing buffer overread */
46 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));❗VULN
47 dest[100-1] = L'\0';
48 printWLine(dest);
49 }
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B() uses the GoodSource with the BadSink */
58static void goodG2B()
59{
60 wchar_t * data;
61 wchar_t * &dataRef = data;
62 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
63 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
64 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */
65 dataBadBuffer[50-1] = L'\0'; /* null terminate */
66 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */
67 dataGoodBuffer[100-1] = L'\0'; /* null terminate */
68 /* FIX: Set data pointer to a large buffer */
69 data = dataGoodBuffer;
70 {
71 wchar_t * data = dataRef;
72 {
73 wchar_t dest[100];
74 wmemset(dest, L'C', 100-1);
75 dest[100-1] = L'\0'; /* null terminate */
76 /* POTENTIAL FLAW: using memmove with the length of the dest where data
77 * could be smaller than dest causing buffer overread */
78 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));
79 dest[100-1] = L'\0';
80 printWLine(dest);
81 }
82 }
83}
84
85void good()
86{
87 goodG2B();
88}
89
90#endif /* OMITGOOD */
91
92} /* close namespace */
93
94/* Below is the main(). It is only used when building this testcase on
95 * its own for testing or for building a binary to use in testing binary
96 * analysis tools. It is not used when compiling all the testcases as one
97 * application, which is how source code analysis tools are tested.
98 */
99#ifdef INCLUDEMAIN
100
101using namespace CWE126_Buffer_Overread__wchar_t_alloca_memmove_33; /* so that we can use good and bad easily */
102
103int main(int argc, char * argv[])
104{
105 /* seed randomness */
106 srand( (unsigned)time(NULL) );
107#ifndef OMITGOOD
108 printLine("Calling good()...");
109 good();
110 printLine("Finished good()");
111#endif /* OMITGOOD */
112#ifndef OMITBAD
113 printLine("Calling bad()...");
114 bad();
115 printLine("Finished bad()");
116#endif /* OMITBAD */
117 return 0;
118}
119
120#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3689: CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cpy_07.c

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cpy_07.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__src.label.xml
4Template File: sources-sink-07.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: cpy
12 * BadSink : Copy data to string using strcpy
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is not declared "const", but is never assigned
22 * any other value so a tool should be able to identify that reads of
23 * this will always give its initialized value.
24 */
25static int staticFive = 5;
26
27#ifndef OMITBAD
28
29void CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cpy_07_bad()
30{
31 char * data;
32 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
33 data = dataBuffer;
34 if(staticFive==5)
35 {
36 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
37 memset(data, 'A', 100-1); /* fill with 'A's */
38 data[100-1] = '\0'; /* null terminate */
39 }
40 {
41 char dest[50] = "";
42 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
43 strcpy(dest, data);❗VULN
44 printLine(data);
45 }
46}
47
48#endif /* OMITBAD */
49
50#ifndef OMITGOOD
51
52/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
53static void goodG2B1()
54{
55 char * data;
56 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
57 data = dataBuffer;
58 if(staticFive!=5)
59 {
60 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
61 printLine("Benign, fixed string");
62 }
63 else
64 {
65 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
66 memset(data, 'A', 50-1); /* fill with 'A's */
67 data[50-1] = '\0'; /* null terminate */
68 }
69 {
70 char dest[50] = "";
71 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
72 strcpy(dest, data);
73 printLine(data);
74 }
75}
76
77/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
78static void goodG2B2()
79{
80 char * data;
81 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
82 data = dataBuffer;
83 if(staticFive==5)
84 {
85 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
86 memset(data, 'A', 50-1); /* fill with 'A's */
87 data[50-1] = '\0'; /* null terminate */
88 }
89 {
90 char dest[50] = "";
91 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
92 strcpy(dest, data);
93 printLine(data);
94 }
95}
96
97void CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cpy_07_good()
98{
99 goodG2B1();
100 goodG2B2();
101}
102
103#endif /* OMITGOOD */
104
105/* Below is the main(). It is only used when building this testcase on
106 * its own for testing or for building a binary to use in testing binary
107 * analysis tools. It is not used when compiling all the testcases as one
108 * application, which is how source code analysis tools are tested.
109 */
110
111#ifdef INCLUDEMAIN
112
113int main(int argc, char * argv[])
114{
115 /* seed randomness */
116 srand( (unsigned)time(NULL) );
117#ifndef OMITGOOD
118 printLine("Calling good()...");
119 CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cpy_07_good();
120 printLine("Finished good()");
121#endif /* OMITGOOD */
122#ifndef OMITBAD
123 printLine("Calling bad()...");
124 CWE121_Stack_Based_Buffer_Overflow__src_char_alloca_cpy_07_bad();
125 printLine("Finished bad()");
126#endif /* OMITBAD */
127 return 0;
128}
129
130#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4801: CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22a.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22a.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_dest.label.xml
4Template File: sources-sink-22a.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sink: cat
12 * BadSink : Copy string to data using strcat
13 * Flow Variant: 22 Control flow: Flow controlled by value of a global variable. Sink functions are in a separate file from sources.
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23/* The global variable below is used to drive control flow in the source function */
24int CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_badGlobal = 0;
25
26char * CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_badSource(char * data);
27
28void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_bad()
29{
30 char * data;
31 data = NULL;
32 CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_badGlobal = 1; /* true */
33 data = CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_badSource(data);
34 {
35 char source[100];
36 memset(source, 'C', 100-1); /* fill with 'C's */
37 source[100-1] = '\0'; /* null terminate */
38 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
39 strcat(data, source);❗VULN
40 printLine(data);
41 free(data);
42 }
43}
44
45#endif /* OMITBAD */
46
47#ifndef OMITGOOD
48
49/* The global variables below are used to drive control flow in the source functions. */
50int CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_goodG2B1Global = 0;
51int CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_goodG2B2Global = 0;
52
53/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */
54char * CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_goodG2B1Source(char * data);
55
56static void goodG2B1()
57{
58 char * data;
59 data = NULL;
60 CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_goodG2B1Global = 0; /* false */
61 data = CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_goodG2B1Source(data);
62 {
63 char source[100];
64 memset(source, 'C', 100-1); /* fill with 'C's */
65 source[100-1] = '\0'; /* null terminate */
66 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
67 strcat(data, source);
68 printLine(data);
69 free(data);
70 }
71}
72
73/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */
74char * CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_goodG2B2Source(char * data);
75
76static void goodG2B2()
77{
78 char * data;
79 data = NULL;
80 CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_goodG2B2Global = 1; /* true */
81 data = CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_goodG2B2Source(data);
82 {
83 char source[100];
84 memset(source, 'C', 100-1); /* fill with 'C's */
85 source[100-1] = '\0'; /* null terminate */
86 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
87 strcat(data, source);
88 printLine(data);
89 free(data);
90 }
91}
92
93void CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_good()
94{
95 goodG2B1();
96 goodG2B2();
97}
98
99#endif /* OMITGOOD */
100
101/* Below is the main(). It is only used when building this testcase on
102 * its own for testing or for building a binary to use in testing binary
103 * analysis tools. It is not used when compiling all the testcases as one
104 * application, which is how source code analysis tools are tested.
105 */
106
107#ifdef INCLUDEMAIN
108
109int main(int argc, char * argv[])
110{
111 /* seed randomness */
112 srand( (unsigned)time(NULL) );
113#ifndef OMITGOOD
114 printLine("Calling good()...");
115 CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_good();
116 printLine("Finished good()");
117#endif /* OMITGOOD */
118#ifndef OMITBAD
119 printLine("Calling bad()...");
120 CWE122_Heap_Based_Buffer_Overflow__c_dest_char_cat_22_bad();
121 printLine("Finished bad()");
122#endif /* OMITBAD */
123 return 0;
124}
125
126#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5289: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_04.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_04.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml
4Template File: sources-sink-04.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: swprintf
12 * BadSink : Copy data to string using swprintf
13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifdef _WIN32
22#define SNPRINTF _snwprintf
23#else
24#define SNPRINTF swprintf
25#endif
26
27/* The two variables below are declared "const", so a tool should
28 * be able to identify that reads of these will always return their
29 * initialized values.
30 */
31static const int STATIC_CONST_TRUE = 1; /* true */
32static const int STATIC_CONST_FALSE = 0; /* false */
33
34#ifndef OMITBAD
35
36void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_04_bad()
37{
38 wchar_t * data;
39 data = (wchar_t *)malloc(100*sizeof(wchar_t));
40 if (data == NULL) {exit(-1);}
41 if(STATIC_CONST_TRUE)
42 {
43 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
44 wmemset(data, L'A', 100-1); /* fill with L'A's */
45 data[100-1] = L'\0'; /* null terminate */
46 }
47 {
48 wchar_t dest[50] = L"";
49 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
50 SNPRINTF(dest, wcslen(data), L"%s", data);❗VULN
51 printWLine(data);
52 free(data);
53 }
54}
55
56#endif /* OMITBAD */
57
58#ifndef OMITGOOD
59
60/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */
61static void goodG2B1()
62{
63 wchar_t * data;
64 data = (wchar_t *)malloc(100*sizeof(wchar_t));
65 if (data == NULL) {exit(-1);}
66 if(STATIC_CONST_FALSE)
67 {
68 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
69 printLine("Benign, fixed string");
70 }
71 else
72 {
73 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
74 wmemset(data, L'A', 50-1); /* fill with L'A's */
75 data[50-1] = L'\0'; /* null terminate */
76 }
77 {
78 wchar_t dest[50] = L"";
79 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
80 SNPRINTF(dest, wcslen(data), L"%s", data);
81 printWLine(data);
82 free(data);
83 }
84}
85
86/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
87static void goodG2B2()
88{
89 wchar_t * data;
90 data = (wchar_t *)malloc(100*sizeof(wchar_t));
91 if (data == NULL) {exit(-1);}
92 if(STATIC_CONST_TRUE)
93 {
94 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
95 wmemset(data, L'A', 50-1); /* fill with L'A's */
96 data[50-1] = L'\0'; /* null terminate */
97 }
98 {
99 wchar_t dest[50] = L"";
100 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
101 SNPRINTF(dest, wcslen(data), L"%s", data);
102 printWLine(data);
103 free(data);
104 }
105}
106
107void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_04_good()
108{
109 goodG2B1();
110 goodG2B2();
111}
112
113#endif /* OMITGOOD */
114
115/* Below is the main(). It is only used when building this testcase on
116 * its own for testing or for building a binary to use in testing binary
117 * analysis tools. It is not used when compiling all the testcases as one
118 * application, which is how source code analysis tools are tested.
119 */
120
121#ifdef INCLUDEMAIN
122
123int main(int argc, char * argv[])
124{
125 /* seed randomness */
126 srand( (unsigned)time(NULL) );
127#ifndef OMITGOOD
128 printLine("Calling good()...");
129 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_04_good();
130 printLine("Finished good()");
131#endif /* OMITGOOD */
132#ifndef OMITBAD
133 printLine("Calling bad()...");
134 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_04_bad();
135 printLine("Finished bad()");
136#endif /* OMITBAD */
137 return 0;
138}
139
140#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3477: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_07.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_07.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4Template File: sources-sink-07.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sink: memmove
12 * BadSink : Copy int array to data using memmove
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19/* The variable below is not declared "const", but is never assigned
20 * any other value so a tool should be able to identify that reads of
21 * this will always give its initialized value.
22 */
23static int staticFive = 5;
24
25#ifndef OMITBAD
26
27void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_07_bad()
28{
29 int * data;
30 data = NULL;
31 if(staticFive==5)
32 {
33 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
34 data = (int *)malloc(50*sizeof(int));
35 if (data == NULL) {exit(-1);}
36 }
37 {
38 int source[100] = {0}; /* fill with 0's */
39 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
40 memmove(data, source, 100*sizeof(int));❗VULN
41 printIntLine(data[0]);
42 free(data);
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
51static void goodG2B1()
52{
53 int * data;
54 data = NULL;
55 if(staticFive!=5)
56 {
57 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
58 printLine("Benign, fixed string");
59 }
60 else
61 {
62 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
63 data = (int *)malloc(100*sizeof(int));
64 if (data == NULL) {exit(-1);}
65 }
66 {
67 int source[100] = {0}; /* fill with 0's */
68 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
69 memmove(data, source, 100*sizeof(int));
70 printIntLine(data[0]);
71 free(data);
72 }
73}
74
75/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
76static void goodG2B2()
77{
78 int * data;
79 data = NULL;
80 if(staticFive==5)
81 {
82 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
83 data = (int *)malloc(100*sizeof(int));
84 if (data == NULL) {exit(-1);}
85 }
86 {
87 int source[100] = {0}; /* fill with 0's */
88 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
89 memmove(data, source, 100*sizeof(int));
90 printIntLine(data[0]);
91 free(data);
92 }
93}
94
95void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_07_good()
96{
97 goodG2B1();
98 goodG2B2();
99}
100
101#endif /* OMITGOOD */
102
103/* Below is the main(). It is only used when building this testcase on
104 * its own for testing or for building a binary to use in testing binary
105 * analysis tools. It is not used when compiling all the testcases as one
106 * application, which is how source code analysis tools are tested.
107 */
108
109#ifdef INCLUDEMAIN
110
111int main(int argc, char * argv[])
112{
113 /* seed randomness */
114 srand( (unsigned)time(NULL) );
115#ifndef OMITGOOD
116 printLine("Calling good()...");
117 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_07_good();
118 printLine("Finished good()");
119#endif /* OMITGOOD */
120#ifndef OMITBAD
121 printLine("Calling bad()...");
122 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_int_memmove_07_bad();
123 printLine("Finished bad()");
124#endif /* OMITBAD */
125 return 0;
126}
127
128#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2455: CWE126_Buffer_Overread__wchar_t_declare_loop_16.c

Nodes: 21 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__wchar_t_declare_loop_16.c
3Label Definition File: CWE126_Buffer_Overread.stack.label.xml
4Template File: sources-sink-16.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Set data pointer to a small buffer
10 * GoodSource: Set data pointer to a large buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 16 Control flow: while(1)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE126_Buffer_Overread__wchar_t_declare_loop_16_bad()
24{
25 wchar_t * data;
26 wchar_t dataBadBuffer[50];
27 wchar_t dataGoodBuffer[100];
28 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */
29 dataBadBuffer[50-1] = L'\0'; /* null terminate */
30 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */
31 dataGoodBuffer[100-1] = L'\0'; /* null terminate */
32 while(1)
33 {
34 /* FLAW: Set data pointer to a small buffer */
35 data = dataBadBuffer;
36 break;
37 }
38 {
39 size_t i, destLen;
40 wchar_t dest[100];
41 wmemset(dest, L'C', 100-1);
42 dest[100-1] = L'\0'; /* null terminate */
43 destLen = wcslen(dest);
44 /* POTENTIAL FLAW: using length of the dest where data
45 * could be smaller than dest causing buffer overread */
46 for (i = 0; i < destLen; i++)
47 {
48 dest[i] = data[i];❗VULN
49 }
50 dest[100-1] = L'\0';
51 printWLine(dest);
52 }
53}
54
55#endif /* OMITBAD */
56
57#ifndef OMITGOOD
58
59/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */
60static void goodG2B()
61{
62 wchar_t * data;
63 wchar_t dataBadBuffer[50];
64 wchar_t dataGoodBuffer[100];
65 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */
66 dataBadBuffer[50-1] = L'\0'; /* null terminate */
67 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */
68 dataGoodBuffer[100-1] = L'\0'; /* null terminate */
69 while(1)
70 {
71 /* FIX: Set data pointer to a large buffer */
72 data = dataGoodBuffer;
73 break;
74 }
75 {
76 size_t i, destLen;
77 wchar_t dest[100];
78 wmemset(dest, L'C', 100-1);
79 dest[100-1] = L'\0'; /* null terminate */
80 destLen = wcslen(dest);
81 /* POTENTIAL FLAW: using length of the dest where data
82 * could be smaller than dest causing buffer overread */
83 for (i = 0; i < destLen; i++)
84 {
85 dest[i] = data[i];
86 }
87 dest[100-1] = L'\0';
88 printWLine(dest);
89 }
90}
91
92void CWE126_Buffer_Overread__wchar_t_declare_loop_16_good()
93{
94 goodG2B();
95}
96
97#endif /* OMITGOOD */
98
99/* Below is the main(). It is only used when building this testcase on
100 * its own for testing or for building a binary to use in testing binary
101 * analysis tools. It is not used when compiling all the testcases as one
102 * application, which is how source code analysis tools are tested.
103 */
104
105#ifdef INCLUDEMAIN
106
107int main(int argc, char * argv[])
108{
109 /* seed randomness */
110 srand( (unsigned)time(NULL) );
111#ifndef OMITGOOD
112 printLine("Calling good()...");
113 CWE126_Buffer_Overread__wchar_t_declare_loop_16_good();
114 printLine("Finished good()");
115#endif /* OMITGOOD */
116#ifndef OMITBAD
117 printLine("Calling bad()...");
118 CWE126_Buffer_Overread__wchar_t_declare_loop_16_bad();
119 printLine("Finished bad()");
120#endif /* OMITBAD */
121 return 0;
122}
123
124#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3940: CWE122_Heap_Based_Buffer_Overflow__sizeof_double_11.c

Nodes: 9 | Sink Nodes: 7 predicted, 2 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__sizeof_double_11.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__sizeof.label.xml
4Template File: sources-sink-11.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize the source buffer using the size of a pointer
10 * GoodSource: Initialize the source buffer using the size of the DataElementType
11 * Sink:
12 * BadSink : Print then free data
13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE122_Heap_Based_Buffer_Overflow__sizeof_double_11_bad()
22{
23 double * data;
24 /* Initialize data */
25 data = NULL;
26 if(globalReturnsTrue())
27 {
28 /* INCIDENTAL: CWE-467 (Use of sizeof() on a pointer type) */
29 /* FLAW: Using sizeof the pointer and not the data type in malloc() */
30 data = (double *)malloc(sizeof(data));
31 if (data == NULL) {exit(-1);}
32 *data = 1.7E300;❗VULN
33 }
34 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */
35 printDoubleLine(*data);❗VULN
36 free(data);
37}
38
39#endif /* OMITBAD */
40
41#ifndef OMITGOOD
42
43/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */
44static void goodG2B1()
45{
46 double * data;
47 /* Initialize data */
48 data = NULL;
49 if(globalReturnsFalse())
50 {
51 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
52 printLine("Benign, fixed string");
53 }
54 else
55 {
56 /* FIX: Using sizeof the data type in malloc() */
57 data = (double *)malloc(sizeof(*data));
58 if (data == NULL) {exit(-1);}
59 *data = 1.7E300;
60 }
61 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */
62 printDoubleLine(*data);
63 free(data);
64}
65
66/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
67static void goodG2B2()
68{
69 double * data;
70 /* Initialize data */
71 data = NULL;
72 if(globalReturnsTrue())
73 {
74 /* FIX: Using sizeof the data type in malloc() */
75 data = (double *)malloc(sizeof(*data));
76 if (data == NULL) {exit(-1);}
77 *data = 1.7E300;
78 }
79 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */
80 printDoubleLine(*data);
81 free(data);
82}
83
84void CWE122_Heap_Based_Buffer_Overflow__sizeof_double_11_good()
85{
86 goodG2B1();
87 goodG2B2();
88}
89
90#endif /* OMITGOOD */
91
92/* Below is the main(). It is only used when building this testcase on
93 * its own for testing or for building a binary to use in testing binary
94 * analysis tools. It is not used when compiling all the testcases as one
95 * application, which is how source code analysis tools are tested.
96 */
97
98#ifdef INCLUDEMAIN
99
100int main(int argc, char * argv[])
101{
102 /* seed randomness */
103 srand( (unsigned)time(NULL) );
104#ifndef OMITGOOD
105 printLine("Calling good()...");
106 CWE122_Heap_Based_Buffer_Overflow__sizeof_double_11_good();
107 printLine("Finished good()");
108#endif /* OMITGOOD */
109#ifndef OMITBAD
110 printLine("Calling bad()...");
111 CWE122_Heap_Based_Buffer_Overflow__sizeof_double_11_bad();
112 printLine("Finished bad()");
113#endif /* OMITBAD */
114 return 0;
115}
116
117#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8226: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_class_memcpy_34.cpp

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_class_memcpy_34.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.label.xml
4Template File: sources-sink-34.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sinks: memcpy
12 * BadSink : Copy TwoIntsClass array to data using memcpy
13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)
14 *
15 * */
16
17#include "std_testcase.h"
18
19namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_class_memcpy_34
20{
21
22typedef union
23{
24 TwoIntsClass * unionFirst;
25 TwoIntsClass * unionSecond;
26} unionType;
27
28#ifndef OMITBAD
29
30void bad()
31{
32 TwoIntsClass * data;
33 unionType myUnion;
34 data = NULL;
35 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
36 data = new TwoIntsClass[50];
37 myUnion.unionFirst = data;
38 {
39 TwoIntsClass * data = myUnion.unionSecond;
40 {
41 TwoIntsClass source[100];
42 {
43 size_t i;
44 /* Initialize array */
45 for (i = 0; i < 100; i++)
46 {
47 source[i].intOne = 0;
48 source[i].intTwo = 0;
49 }
50 }
51 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
52 memcpy(data, source, 100*sizeof(TwoIntsClass));❗VULN
53 printIntLine(data[0].intOne);
54 delete [] data;
55 }
56 }
57}
58
59#endif /* OMITBAD */
60
61#ifndef OMITGOOD
62
63/* goodG2B() uses the GoodSource with the BadSink */
64static void goodG2B()
65{
66 TwoIntsClass * data;
67 unionType myUnion;
68 data = NULL;
69 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
70 data = new TwoIntsClass[100];
71 myUnion.unionFirst = data;
72 {
73 TwoIntsClass * data = myUnion.unionSecond;
74 {
75 TwoIntsClass source[100];
76 {
77 size_t i;
78 /* Initialize array */
79 for (i = 0; i < 100; i++)
80 {
81 source[i].intOne = 0;
82 source[i].intTwo = 0;
83 }
84 }
85 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
86 memcpy(data, source, 100*sizeof(TwoIntsClass));
87 printIntLine(data[0].intOne);
88 delete [] data;
89 }
90 }
91}
92
93void good()
94{
95 goodG2B();
96}
97
98#endif /* OMITGOOD */
99
100} /* close namespace */
101
102/* Below is the main(). It is only used when building this testcase on
103 its own for testing or for building a binary to use in testing binary
104 analysis tools. It is not used when compiling all the testcases as one
105 application, which is how source code analysis tools are tested. */
106#ifdef INCLUDEMAIN
107
108using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_class_memcpy_34; /* so that we can use good and bad easily */
109
110int main(int argc, char * argv[])
111{
112 /* seed randomness */
113 srand( (unsigned)time(NULL) );
114#ifndef OMITGOOD
115 printLine("Calling good()...");
116 good();
117 printLine("Finished good()");
118#endif /* OMITGOOD */
119#ifndef OMITBAD
120 printLine("Calling bad()...");
121 bad();
122 printLine("Finished bad()");
123#endif /* OMITBAD */
124 return 0;
125}
126
127#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1444: CWE124_Buffer_Underwrite__new_char_memcpy_14.cpp

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__new_char_memcpy_14.cpp
3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml
4Template File: sources-sink-14.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memcpy
12 * BadSink : Copy string to data using memcpy
13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE124_Buffer_Underwrite__new_char_memcpy_14
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 char * data;
29 data = NULL;
30 if(globalFive==5)
31 {
32 {
33 char * dataBuffer = new char[100];
34 memset(dataBuffer, 'A', 100-1);
35 dataBuffer[100-1] = '\0';
36 /* FLAW: Set data pointer to before the allocated memory buffer */
37 data = dataBuffer - 8;
38 }
39 }
40 {
41 char source[100];
42 memset(source, 'C', 100-1); /* fill with 'C's */
43 source[100-1] = '\0'; /* null terminate */
44 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
45 memcpy(data, source, 100*sizeof(char));❗VULN
46 /* Ensure the destination buffer is null terminated */
47 data[100-1] = '\0';
48 printLine(data);
49 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
50 * returned by new [] so can't safely call delete [] on it */
51 }
52}
53
54#endif /* OMITBAD */
55
56#ifndef OMITGOOD
57
58/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */
59static void goodG2B1()
60{
61 char * data;
62 data = NULL;
63 if(globalFive!=5)
64 {
65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
66 printLine("Benign, fixed string");
67 }
68 else
69 {
70 {
71 char * dataBuffer = new char[100];
72 memset(dataBuffer, 'A', 100-1);
73 dataBuffer[100-1] = '\0';
74 /* FIX: Set data pointer to the allocated memory buffer */
75 data = dataBuffer;
76 }
77 }
78 {
79 char source[100];
80 memset(source, 'C', 100-1); /* fill with 'C's */
81 source[100-1] = '\0'; /* null terminate */
82 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
83 memcpy(data, source, 100*sizeof(char));
84 /* Ensure the destination buffer is null terminated */
85 data[100-1] = '\0';
86 printLine(data);
87 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
88 * returned by new [] so can't safely call delete [] on it */
89 }
90}
91
92/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
93static void goodG2B2()
94{
95 char * data;
96 data = NULL;
97 if(globalFive==5)
98 {
99 {
100 char * dataBuffer = new char[100];
101 memset(dataBuffer, 'A', 100-1);
102 dataBuffer[100-1] = '\0';
103 /* FIX: Set data pointer to the allocated memory buffer */
104 data = dataBuffer;
105 }
106 }
107 {
108 char source[100];
109 memset(source, 'C', 100-1); /* fill with 'C's */
110 source[100-1] = '\0'; /* null terminate */
111 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
112 memcpy(data, source, 100*sizeof(char));
113 /* Ensure the destination buffer is null terminated */
114 data[100-1] = '\0';
115 printLine(data);
116 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
117 * returned by new [] so can't safely call delete [] on it */
118 }
119}
120
121void good()
122{
123 goodG2B1();
124 goodG2B2();
125}
126
127#endif /* OMITGOOD */
128
129} /* close namespace */
130
131/* Below is the main(). It is only used when building this testcase on
132 its own for testing or for building a binary to use in testing binary
133 analysis tools. It is not used when compiling all the testcases as one
134 application, which is how source code analysis tools are tested. */
135
136#ifdef INCLUDEMAIN
137
138using namespace CWE124_Buffer_Underwrite__new_char_memcpy_14; /* so that we can use good and bad easily */
139
140int main(int argc, char * argv[])
141{
142 /* seed randomness */
143 srand( (unsigned)time(NULL) );
144#ifndef OMITGOOD
145 printLine("Calling good()...");
146 good();
147 printLine("Finished good()");
148#endif /* OMITGOOD */
149#ifndef OMITBAD
150 printLine("Calling bad()...");
151 bad();
152 printLine("Finished bad()");
153#endif /* OMITBAD */
154 return 0;
155}
156
157#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3325: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_07.cpp

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_07.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml
4Template File: sources-sink-07.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: ncpy
12 * BadSink : Copy data to string using strncpy
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is not declared "const", but is never assigned
22 any other value so a tool should be able to identify that reads of
23 this will always give its initialized value. */
24static int staticFive = 5;
25
26namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_07
27{
28
29#ifndef OMITBAD
30
31void bad()
32{
33 char * data;
34 data = new char[100];
35 if(staticFive==5)
36 {
37 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
38 memset(data, 'A', 100-1); /* fill with 'A's */
39 data[100-1] = '\0'; /* null terminate */
40 }
41 {
42 char dest[50] = "";
43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
44 strncpy(dest, data, strlen(data));❗VULN
45 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
46 printLine(data);
47 delete [] data;
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
56static void goodG2B1()
57{
58 char * data;
59 data = new char[100];
60 if(staticFive!=5)
61 {
62 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
63 printLine("Benign, fixed string");
64 }
65 else
66 {
67 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
68 memset(data, 'A', 50-1); /* fill with 'A's */
69 data[50-1] = '\0'; /* null terminate */
70 }
71 {
72 char dest[50] = "";
73 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
74 strncpy(dest, data, strlen(data));
75 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
76 printLine(data);
77 delete [] data;
78 }
79}
80
81/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
82static void goodG2B2()
83{
84 char * data;
85 data = new char[100];
86 if(staticFive==5)
87 {
88 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
89 memset(data, 'A', 50-1); /* fill with 'A's */
90 data[50-1] = '\0'; /* null terminate */
91 }
92 {
93 char dest[50] = "";
94 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
95 strncpy(dest, data, strlen(data));
96 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
97 printLine(data);
98 delete [] data;
99 }
100}
101
102void good()
103{
104 goodG2B1();
105 goodG2B2();
106}
107
108#endif /* OMITGOOD */
109
110} /* close namespace */
111
112/* Below is the main(). It is only used when building this testcase on
113 its own for testing or for building a binary to use in testing binary
114 analysis tools. It is not used when compiling all the testcases as one
115 application, which is how source code analysis tools are tested. */
116
117#ifdef INCLUDEMAIN
118
119using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncpy_07; /* so that we can use good and bad easily */
120
121int main(int argc, char * argv[])
122{
123 /* seed randomness */
124 srand( (unsigned)time(NULL) );
125#ifndef OMITGOOD
126 printLine("Calling good()...");
127 good();
128 printLine("Finished good()");
129#endif /* OMITGOOD */
130#ifndef OMITBAD
131 printLine("Calling bad()...");
132 bad();
133 printLine("Finished bad()");
134#endif /* OMITBAD */
135 return 0;
136}
137
138#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6700: CWE124_Buffer_Underwrite__CWE839_connect_socket_45.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__CWE839_connect_socket_45.c
3Label Definition File: CWE124_Buffer_Underwrite__CWE839.label.xml
4Template File: sources-sinks-45.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: connect_socket Read data using a connect socket (client side)
10 * GoodSource: Non-negative but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the lower bound
14 * Flow Variant: 45 Data flow: data passed as a static global variable from one function to another in the same source file
15 *
16 * */
17
18#include "std_testcase.h"
19
20#ifdef _WIN32
21#include <winsock2.h>
22#include <windows.h>
23#include <direct.h>
24#pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */
25#define CLOSE_SOCKET closesocket
26#else /* NOT _WIN32 */
27#include <sys/types.h>
28#include <sys/socket.h>
29#include <netinet/in.h>
30#include <arpa/inet.h>
31#include <unistd.h>
32#define INVALID_SOCKET -1
33#define SOCKET_ERROR -1
34#define CLOSE_SOCKET close
35#define SOCKET int
36#endif
37
38#define TCP_PORT 27015
39#define IP_ADDRESS "127.0.0.1"
40#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)
41
42static int CWE124_Buffer_Underwrite__CWE839_connect_socket_45_badData;
43static int CWE124_Buffer_Underwrite__CWE839_connect_socket_45_goodG2BData;
44static int CWE124_Buffer_Underwrite__CWE839_connect_socket_45_goodB2GData;
45
46#ifndef OMITBAD
47
48static void badSink()
49{
50 int data = CWE124_Buffer_Underwrite__CWE839_connect_socket_45_badData;
51 {
52 int i;
53 int buffer[10] = { 0 };
54 /* POTENTIAL FLAW: Attempt to access a negative index of the array
55 * This code does not check to see if the array index is negative */
56 if (data < 10)
57 {
58 buffer[data] = 1;❗VULN
59 /* Print the array values */
60 for(i = 0; i < 10; i++)
61 {
62 printIntLine(buffer[i]);
63 }
64 }
65 else
66 {
67 printLine("ERROR: Array index is negative.");
68 }
69 }
70}
71
72void CWE124_Buffer_Underwrite__CWE839_connect_socket_45_bad()
73{
74 int data;
75 /* Initialize data */
76 data = -1;
77 {
78#ifdef _WIN32
79 WSADATA wsaData;
80 int wsaDataInit = 0;
81#endif
82 int recvResult;
83 struct sockaddr_in service;
84 SOCKET connectSocket = INVALID_SOCKET;
85 char inputBuffer[CHAR_ARRAY_SIZE];
86 do
87 {
88#ifdef _WIN32
89 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
90 {
91 break;
92 }
93 wsaDataInit = 1;
94#endif
95 /* POTENTIAL FLAW: Read data using a connect socket */
96 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
97 if (connectSocket == INVALID_SOCKET)
98 {
99 break;
100 }
101 memset(&service, 0, sizeof(service));
102 service.sin_family = AF_INET;
103 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);
104 service.sin_port = htons(TCP_PORT);
105 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
106 {
107 break;
108 }
109 /* Abort on error or the connection was closed, make sure to recv one
110 * less char than is in the recv_buf in order to append a terminator */
111 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
112 if (recvResult == SOCKET_ERROR || recvResult == 0)
113 {
114 break;
115 }
116 /* NUL-terminate the string */
117 inputBuffer[recvResult] = '\0';
118 /* Convert to int */
119 data = atoi(inputBuffer);
120 }
121 while (0);
122 if (connectSocket != INVALID_SOCKET)
123 {
124 CLOSE_SOCKET(connectSocket);
125 }
126#ifdef _WIN32
127 if (wsaDataInit)
128 {
129 WSACleanup();
130 }
131#endif
132 }
133 CWE124_Buffer_Underwrite__CWE839_connect_socket_45_badData = data;
134 badSink();
135}
136
137#endif /* OMITBAD */
138
139#ifndef OMITGOOD
140
141/* goodG2B() uses the GoodSource with the BadSink */
142static void goodG2BSink()
143{
144 int data = CWE124_Buffer_Underwrite__CWE839_connect_socket_45_goodG2BData;
145 {
146 int i;
147 int buffer[10] = { 0 };
148 /* POTENTIAL FLAW: Attempt to access a negative index of the array
149 * This code does not check to see if the array index is negative */
150 if (data < 10)
151 {
152 buffer[data] = 1;
153 /* Print the array values */
154 for(i = 0; i < 10; i++)
155 {
156 printIntLine(buffer[i]);
157 }
158 }
159 else
160 {
161 printLine("ERROR: Array index is negative.");
162 }
163 }
164}
165
166static void goodG2B()
167{
168 int data;
169 /* Initialize data */
170 data = -1;
171 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
172 * access an index of the array in the sink that is out-of-bounds */
173 data = 7;
174 CWE124_Buffer_Underwrite__CWE839_connect_socket_45_goodG2BData = data;
175 goodG2BSink();
176}
177
178/* goodB2G() uses the BadSource with the GoodSink */
179static void goodB2GSink()
180{
181 int data = CWE124_Buffer_Underwrite__CWE839_connect_socket_45_goodB2GData;
182 {
183 int i;
184 int buffer[10] = { 0 };
185 /* FIX: Properly validate the array index and prevent a buffer underwrite */
186 if (data >= 0 && data < (10))
187 {
188 buffer[data] = 1;
189 /* Print the array values */
190 for(i = 0; i < 10; i++)
191 {
192 printIntLine(buffer[i]);
193 }
194 }
195 else
196 {
197 printLine("ERROR: Array index is out-of-bounds");
198 }
199 }
200}
201
202static void goodB2G()
203{
204 int data;
205 /* Initialize data */
206 data = -1;
207 {
208#ifdef _WIN32
209 WSADATA wsaData;
210 int wsaDataInit = 0;
211#endif
212 int recvResult;
213 struct sockaddr_in service;
214 SOCKET connectSocket = INVALID_SOCKET;
215 char inputBuffer[CHAR_ARRAY_SIZE];
216 do
217 {
218#ifdef _WIN32
219 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
220 {
221 break;
222 }
223 wsaDataInit = 1;
224#endif
225 /* POTENTIAL FLAW: Read data using a connect socket */
226 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
227 if (connectSocket == INVALID_SOCKET)
228 {
229 break;
230 }
231 memset(&service, 0, sizeof(service));
232 service.sin_family = AF_INET;
233 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);
234 service.sin_port = htons(TCP_PORT);
235 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
236 {
237 break;
238 }
239 /* Abort on error or the connection was closed, make sure to recv one
240 * less char than is in the recv_buf in order to append a terminator */
241 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
242 if (recvResult == SOCKET_ERROR || recvResult == 0)
243 {
244 break;
245 }
246 /* NUL-terminate the string */
247 inputBuffer[recvResult] = '\0';
248 /* Convert to int */
249 data = atoi(inputBuffer);
250 }
251 while (0);
252 if (connectSocket != INVALID_SOCKET)
253 {
254 CLOSE_SOCKET(connectSocket);
255 }
256#ifdef _WIN32
257 if (wsaDataInit)
258 {
259 WSACleanup();
260 }
261#endif
262 }
263 CWE124_Buffer_Underwrite__CWE839_connect_socket_45_goodB2GData = data;
264 goodB2GSink();
265}
266
267void CWE124_Buffer_Underwrite__CWE839_connect_socket_45_good()
268{
269 goodG2B();
270 goodB2G();
271}
272
273#endif /* OMITGOOD */
274
275/* Below is the main(). It is only used when building this testcase on
276 its own for testing or for building a binary to use in testing binary
277 analysis tools. It is not used when compiling all the testcases as one
278 application, which is how source code analysis tools are tested. */
279#ifdef INCLUDEMAIN
280
281int main(int argc, char * argv[])
282{
283 /* seed randomness */
284 srand( (unsigned)time(NULL) );
285#ifndef OMITGOOD
286 printLine("Calling good()...");
287 CWE124_Buffer_Underwrite__CWE839_connect_socket_45_good();
288 printLine("Finished good()");
289#endif /* OMITGOOD */
290#ifndef OMITBAD
291 printLine("Calling bad()...");
292 CWE124_Buffer_Underwrite__CWE839_connect_socket_45_bad();
293 printLine("Finished bad()");
294#endif /* OMITBAD */
295 return 0;
296}
297
298#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4175: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_03.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_03.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml
4Template File: sources-sink-03.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 03 Control flow: if(5==5) and if(5!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_03_bad()
24{
25 char * data;
26 data = (char *)malloc(100*sizeof(char));
27 if (data == NULL) {exit(-1);}
28 if(5==5)
29 {
30 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
31 memset(data, 'A', 100-1); /* fill with 'A's */
32 data[100-1] = '\0'; /* null terminate */
33 }
34 {
35 char dest[50] = "";
36 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
37 memcpy(dest, data, strlen(data)*sizeof(char));❗VULN
38 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
39 printLine(data);
40 free(data);
41 }
42}
43
44#endif /* OMITBAD */
45
46#ifndef OMITGOOD
47
48/* goodG2B1() - use goodsource and badsink by changing the 5==5 to 5!=5 */
49static void goodG2B1()
50{
51 char * data;
52 data = (char *)malloc(100*sizeof(char));
53 if (data == NULL) {exit(-1);}
54 if(5!=5)
55 {
56 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
57 printLine("Benign, fixed string");
58 }
59 else
60 {
61 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
62 memset(data, 'A', 50-1); /* fill with 'A's */
63 data[50-1] = '\0'; /* null terminate */
64 }
65 {
66 char dest[50] = "";
67 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
68 memcpy(dest, data, strlen(data)*sizeof(char));
69 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
70 printLine(data);
71 free(data);
72 }
73}
74
75/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
76static void goodG2B2()
77{
78 char * data;
79 data = (char *)malloc(100*sizeof(char));
80 if (data == NULL) {exit(-1);}
81 if(5==5)
82 {
83 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
84 memset(data, 'A', 50-1); /* fill with 'A's */
85 data[50-1] = '\0'; /* null terminate */
86 }
87 {
88 char dest[50] = "";
89 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
90 memcpy(dest, data, strlen(data)*sizeof(char));
91 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
92 printLine(data);
93 free(data);
94 }
95}
96
97void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_03_good()
98{
99 goodG2B1();
100 goodG2B2();
101}
102
103#endif /* OMITGOOD */
104
105/* Below is the main(). It is only used when building this testcase on
106 * its own for testing or for building a binary to use in testing binary
107 * analysis tools. It is not used when compiling all the testcases as one
108 * application, which is how source code analysis tools are tested.
109 */
110
111#ifdef INCLUDEMAIN
112
113int main(int argc, char * argv[])
114{
115 /* seed randomness */
116 srand( (unsigned)time(NULL) );
117#ifndef OMITGOOD
118 printLine("Calling good()...");
119 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_03_good();
120 printLine("Finished good()");
121#endif /* OMITGOOD */
122#ifndef OMITBAD
123 printLine("Calling bad()...");
124 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_03_bad();
125 printLine("Finished bad()");
126#endif /* OMITBAD */
127 return 0;
128}
129
130#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5595: CWE126_Buffer_Overread__malloc_char_loop_68b.c

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__malloc_char_loop_68b.c
3Label Definition File: CWE126_Buffer_Overread__malloc.label.xml
4Template File: sources-sink-68b.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Use a small buffer
10 * GoodSource: Use a large buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 68 Data flow: data passed as a global variable from one function to another in different source files
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21extern char * CWE126_Buffer_Overread__malloc_char_loop_68_badData;
22extern char * CWE126_Buffer_Overread__malloc_char_loop_68_goodG2BData;
23
24/* all the sinks are the same, we just want to know where the hit originated if a tool flags one */
25
26#ifndef OMITBAD
27
28void CWE126_Buffer_Overread__malloc_char_loop_68b_badSink()
29{
30 char * data = CWE126_Buffer_Overread__malloc_char_loop_68_badData;
31 {
32 size_t i, destLen;
33 char dest[100];
34 memset(dest, 'C', 100-1);
35 dest[100-1] = '\0'; /* null terminate */
36 destLen = strlen(dest);
37 /* POTENTIAL FLAW: using length of the dest where data
38 * could be smaller than dest causing buffer overread */
39 for (i = 0; i < destLen; i++)
40 {
41 dest[i] = data[i];❗VULN
42 }
43 dest[100-1] = '\0';
44 printLine(dest);
45 free(data);
46 }
47}
48
49#endif /* OMITBAD */
50
51#ifndef OMITGOOD
52
53/* goodG2B uses the GoodSource with the BadSink */
54void CWE126_Buffer_Overread__malloc_char_loop_68b_goodG2BSink()
55{
56 char * data = CWE126_Buffer_Overread__malloc_char_loop_68_goodG2BData;
57 {
58 size_t i, destLen;
59 char dest[100];
60 memset(dest, 'C', 100-1);
61 dest[100-1] = '\0'; /* null terminate */
62 destLen = strlen(dest);
63 /* POTENTIAL FLAW: using length of the dest where data
64 * could be smaller than dest causing buffer overread */
65 for (i = 0; i < destLen; i++)
66 {
67 dest[i] = data[i];
68 }
69 dest[100-1] = '\0';
70 printLine(dest);
71 free(data);
72 }
73}
74
75#endif /* OMITGOOD */

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8850: CWE127_Buffer_Underread__wchar_t_declare_memcpy_68b.c

Nodes: 7 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__wchar_t_declare_memcpy_68b.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-68b.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 68 Data flow: data passed as a global variable from one function to another in different source files
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21extern wchar_t * CWE127_Buffer_Underread__wchar_t_declare_memcpy_68_badData;
22extern wchar_t * CWE127_Buffer_Underread__wchar_t_declare_memcpy_68_goodG2BData;
23
24/* all the sinks are the same, we just want to know where the hit originated if a tool flags one */
25
26#ifndef OMITBAD
27
28void CWE127_Buffer_Underread__wchar_t_declare_memcpy_68b_badSink()
29{
30 wchar_t * data = CWE127_Buffer_Underread__wchar_t_declare_memcpy_68_badData;
31 {
32 wchar_t dest[100];
33 wmemset(dest, L'C', 100-1); /* fill with 'C's */
34 dest[100-1] = L'\0'; /* null terminate */
35 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
36 memcpy(dest, data, 100*sizeof(wchar_t));❗VULN
37 /* Ensure null termination */
38 dest[100-1] = L'\0';
39 printWLine(dest);
40 }
41}
42
43#endif /* OMITBAD */
44
45#ifndef OMITGOOD
46
47/* goodG2B uses the GoodSource with the BadSink */
48void CWE127_Buffer_Underread__wchar_t_declare_memcpy_68b_goodG2BSink()
49{
50 wchar_t * data = CWE127_Buffer_Underread__wchar_t_declare_memcpy_68_goodG2BData;
51 {
52 wchar_t dest[100];
53 wmemset(dest, L'C', 100-1); /* fill with 'C's */
54 dest[100-1] = L'\0'; /* null terminate */
55 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
56 memcpy(dest, data, 100*sizeof(wchar_t));
57 /* Ensure null termination */
58 dest[100-1] = L'\0';
59 printWLine(dest);
60 }
61}
62
63#endif /* OMITGOOD */

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2867: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_14.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_14.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml
4Template File: sources-sink-14.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_14_bad()
24{
25 char * data;
26 data = (char *)malloc(100*sizeof(char));
27 if (data == NULL) {exit(-1);}
28 if(globalFive==5)
29 {
30 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
31 memset(data, 'A', 100-1); /* fill with 'A's */
32 data[100-1] = '\0'; /* null terminate */
33 }
34 {
35 char dest[50] = "";
36 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
37 memcpy(dest, data, strlen(data)*sizeof(char));❗VULN
38 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
39 printLine(data);
40 free(data);
41 }
42}
43
44#endif /* OMITBAD */
45
46#ifndef OMITGOOD
47
48/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */
49static void goodG2B1()
50{
51 char * data;
52 data = (char *)malloc(100*sizeof(char));
53 if (data == NULL) {exit(-1);}
54 if(globalFive!=5)
55 {
56 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
57 printLine("Benign, fixed string");
58 }
59 else
60 {
61 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
62 memset(data, 'A', 50-1); /* fill with 'A's */
63 data[50-1] = '\0'; /* null terminate */
64 }
65 {
66 char dest[50] = "";
67 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
68 memcpy(dest, data, strlen(data)*sizeof(char));
69 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
70 printLine(data);
71 free(data);
72 }
73}
74
75/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
76static void goodG2B2()
77{
78 char * data;
79 data = (char *)malloc(100*sizeof(char));
80 if (data == NULL) {exit(-1);}
81 if(globalFive==5)
82 {
83 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
84 memset(data, 'A', 50-1); /* fill with 'A's */
85 data[50-1] = '\0'; /* null terminate */
86 }
87 {
88 char dest[50] = "";
89 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
90 memcpy(dest, data, strlen(data)*sizeof(char));
91 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
92 printLine(data);
93 free(data);
94 }
95}
96
97void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_14_good()
98{
99 goodG2B1();
100 goodG2B2();
101}
102
103#endif /* OMITGOOD */
104
105/* Below is the main(). It is only used when building this testcase on
106 * its own for testing or for building a binary to use in testing binary
107 * analysis tools. It is not used when compiling all the testcases as one
108 * application, which is how source code analysis tools are tested.
109 */
110
111#ifdef INCLUDEMAIN
112
113int main(int argc, char * argv[])
114{
115 /* seed randomness */
116 srand( (unsigned)time(NULL) );
117#ifndef OMITGOOD
118 printLine("Calling good()...");
119 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_14_good();
120 printLine("Finished good()");
121#endif /* OMITGOOD */
122#ifndef OMITBAD
123 printLine("Calling bad()...");
124 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_memcpy_14_bad();
125 printLine("Finished bad()");
126#endif /* OMITBAD */
127 return 0;
128}
129
130#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4924: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memmove_06.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memmove_06.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml
4Template File: sources-sink-06.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is declared "const", so a tool should be able
22 * to identify that reads of this will always give its initialized value. */
23static const int STATIC_CONST_FIVE = 5;
24
25#ifndef OMITBAD
26
27void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memmove_06_bad()
28{
29 char * data;
30 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
31 data = dataBuffer;
32 if(STATIC_CONST_FIVE==5)
33 {
34 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
35 memset(data, 'A', 100-1); /* fill with 'A's */
36 data[100-1] = '\0'; /* null terminate */
37 }
38 {
39 char dest[50] = "";
40 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
41 memmove(dest, data, strlen(data)*sizeof(char));❗VULN
42 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
43 printLine(data);
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */
52static void goodG2B1()
53{
54 char * data;
55 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
56 data = dataBuffer;
57 if(STATIC_CONST_FIVE!=5)
58 {
59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
60 printLine("Benign, fixed string");
61 }
62 else
63 {
64 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
65 memset(data, 'A', 50-1); /* fill with 'A's */
66 data[50-1] = '\0'; /* null terminate */
67 }
68 {
69 char dest[50] = "";
70 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
71 memmove(dest, data, strlen(data)*sizeof(char));
72 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
73 printLine(data);
74 }
75}
76
77/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
78static void goodG2B2()
79{
80 char * data;
81 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
82 data = dataBuffer;
83 if(STATIC_CONST_FIVE==5)
84 {
85 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
86 memset(data, 'A', 50-1); /* fill with 'A's */
87 data[50-1] = '\0'; /* null terminate */
88 }
89 {
90 char dest[50] = "";
91 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
92 memmove(dest, data, strlen(data)*sizeof(char));
93 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
94 printLine(data);
95 }
96}
97
98void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memmove_06_good()
99{
100 goodG2B1();
101 goodG2B2();
102}
103
104#endif /* OMITGOOD */
105
106/* Below is the main(). It is only used when building this testcase on
107 * its own for testing or for building a binary to use in testing binary
108 * analysis tools. It is not used when compiling all the testcases as one
109 * application, which is how source code analysis tools are tested.
110 */
111
112#ifdef INCLUDEMAIN
113
114int main(int argc, char * argv[])
115{
116 /* seed randomness */
117 srand( (unsigned)time(NULL) );
118#ifndef OMITGOOD
119 printLine("Calling good()...");
120 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memmove_06_good();
121 printLine("Finished good()");
122#endif /* OMITGOOD */
123#ifndef OMITBAD
124 printLine("Calling bad()...");
125 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_alloca_memmove_06_bad();
126 printLine("Finished bad()");
127#endif /* OMITBAD */
128 return 0;
129}
130
131#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4303: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-34.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sinks: memmove
12 * BadSink : Copy string to data using memmove
13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21typedef union
22{
23 char * unionFirst;
24 char * unionSecond;
25} CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34_unionType;
26
27#ifndef OMITBAD
28
29void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34_bad()
30{
31 char * data;
32 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34_unionType myUnion;
33 char dataBadBuffer[50];
34 char dataGoodBuffer[100];
35 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
36 * buffer in various memory copying functions using a "large" source buffer. */
37 data = dataBadBuffer;
38 data[0] = '\0'; /* null terminate */
39 myUnion.unionFirst = data;
40 {
41 char * data = myUnion.unionSecond;
42 {
43 char source[100];
44 memset(source, 'C', 100-1); /* fill with 'C's */
45 source[100-1] = '\0'; /* null terminate */
46 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
47 memmove(data, source, 100*sizeof(char));❗VULN
48 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
49 printLine(data);
50 }
51 }
52}
53
54#endif /* OMITBAD */
55
56#ifndef OMITGOOD
57
58/* goodG2B() uses the GoodSource with the BadSink */
59static void goodG2B()
60{
61 char * data;
62 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34_unionType myUnion;
63 char dataBadBuffer[50];
64 char dataGoodBuffer[100];
65 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
66 data = dataGoodBuffer;
67 data[0] = '\0'; /* null terminate */
68 myUnion.unionFirst = data;
69 {
70 char * data = myUnion.unionSecond;
71 {
72 char source[100];
73 memset(source, 'C', 100-1); /* fill with 'C's */
74 source[100-1] = '\0'; /* null terminate */
75 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
76 memmove(data, source, 100*sizeof(char));
77 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
78 printLine(data);
79 }
80 }
81}
82
83void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34_good()
84{
85 goodG2B();
86}
87
88#endif /* OMITGOOD */
89
90/* Below is the main(). It is only used when building this testcase on
91 * its own for testing or for building a binary to use in testing binary
92 * analysis tools. It is not used when compiling all the testcases as one
93 * application, which is how source code analysis tools are tested.
94 */
95#ifdef INCLUDEMAIN
96
97int main(int argc, char * argv[])
98{
99 /* seed randomness */
100 srand( (unsigned)time(NULL) );
101#ifndef OMITGOOD
102 printLine("Calling good()...");
103 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34_good();
104 printLine("Finished good()");
105#endif /* OMITGOOD */
106#ifndef OMITBAD
107 printLine("Calling bad()...");
108 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_memmove_34_bad();
109 printLine("Finished bad()");
110#endif /* OMITBAD */
111 return 0;
112}
113
114#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7210: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_ncpy_01.c

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_ncpy_01.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml
4Template File: sources-sink-01.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: ncpy
12 * BadSink : Copy data to string using wcsncpy
13 * Flow Variant: 01 Baseline
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_ncpy_01_bad()
24{
25 wchar_t * data;
26 wchar_t dataBuffer[100];
27 data = dataBuffer;
28 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
29 wmemset(data, L'A', 100-1); /* fill with L'A's */
30 data[100-1] = L'\0'; /* null terminate */
31 {
32 wchar_t dest[50] = L"";
33 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
34 wcsncpy(dest, data, wcslen(data));❗VULN
35 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
36 printWLine(data);
37 }
38}
39
40#endif /* OMITBAD */
41
42#ifndef OMITGOOD
43
44/* goodG2B uses the GoodSource with the BadSink */
45static void goodG2B()
46{
47 wchar_t * data;
48 wchar_t dataBuffer[100];
49 data = dataBuffer;
50 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
51 wmemset(data, L'A', 50-1); /* fill with L'A's */
52 data[50-1] = L'\0'; /* null terminate */
53 {
54 wchar_t dest[50] = L"";
55 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
56 wcsncpy(dest, data, wcslen(data));
57 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
58 printWLine(data);
59 }
60}
61
62void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_ncpy_01_good()
63{
64 goodG2B();
65}
66
67#endif /* OMITGOOD */
68
69/* Below is the main(). It is only used when building this testcase on
70 * its own for testing or for building a binary to use in testing binary
71 * analysis tools. It is not used when compiling all the testcases as one
72 * application, which is how source code analysis tools are tested.
73 */
74
75#ifdef INCLUDEMAIN
76
77int main(int argc, char * argv[])
78{
79 /* seed randomness */
80 srand( (unsigned)time(NULL) );
81#ifndef OMITGOOD
82 printLine("Calling good()...");
83 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_ncpy_01_good();
84 printLine("Finished good()");
85#endif /* OMITGOOD */
86#ifndef OMITBAD
87 printLine("Calling bad()...");
88 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_ncpy_01_bad();
89 printLine("Finished bad()");
90#endif /* OMITBAD */
91 return 0;
92}
93
94#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 489: CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_12.c

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_12.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE131.label.xml
4Template File: sources-sink-12.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory without using sizeof(int)
10 * GoodSource: Allocate memory using sizeof(int)
11 * Sink: memmove
12 * BadSink : Copy array to data using memmove()
13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_12_bad()
22{
23 int * data;
24 data = NULL;
25 if(globalReturnsTrueOrFalse())
26 {
27 /* FLAW: Allocate memory without using sizeof(int) */
28 data = (int *)malloc(10);
29 if (data == NULL) {exit(-1);}
30 }
31 else
32 {
33 /* FIX: Allocate memory using sizeof(int) */
34 data = (int *)malloc(10*sizeof(int));
35 if (data == NULL) {exit(-1);}
36 }
37 {
38 int source[10] = {0};
39 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
40 memmove(data, source, 10*sizeof(int));❗VULN
41 printIntLine(data[0]);
42 free(data);
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50/* goodG2B() - use goodsource and badsink by changing the "if" so that
51 * both branches use the GoodSource */
52static void goodG2B()
53{
54 int * data;
55 data = NULL;
56 if(globalReturnsTrueOrFalse())
57 {
58 /* FIX: Allocate memory using sizeof(int) */
59 data = (int *)malloc(10*sizeof(int));
60 if (data == NULL) {exit(-1);}
61 }
62 else
63 {
64 /* FIX: Allocate memory using sizeof(int) */
65 data = (int *)malloc(10*sizeof(int));
66 if (data == NULL) {exit(-1);}
67 }
68 {
69 int source[10] = {0};
70 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
71 memmove(data, source, 10*sizeof(int));
72 printIntLine(data[0]);
73 free(data);
74 }
75}
76
77void CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_12_good()
78{
79 goodG2B();
80}
81
82#endif /* OMITGOOD */
83
84/* Below is the main(). It is only used when building this testcase on
85 * its own for testing or for building a binary to use in testing binary
86 * analysis tools. It is not used when compiling all the testcases as one
87 * application, which is how source code analysis tools are tested.
88 */
89
90#ifdef INCLUDEMAIN
91
92int main(int argc, char * argv[])
93{
94 /* seed randomness */
95 srand( (unsigned)time(NULL) );
96#ifndef OMITGOOD
97 printLine("Calling good()...");
98 CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_12_good();
99 printLine("Finished good()");
100#endif /* OMITGOOD */
101#ifndef OMITBAD
102 printLine("Calling bad()...");
103 CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_12_bad();
104 printLine("Finished bad()");
105#endif /* OMITBAD */
106 return 0;
107}
108
109#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1402: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_memmove_12.c

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_memmove_12.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml
4Template File: sources-sink-12.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 * GoodSource: Allocate enough memory for a string and the NULL terminator
11 * Sink: memmove
12 * BadSink : Copy string to data using memmove()
13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING L"AAAAAAAAAA"
25
26#ifndef OMITBAD
27
28void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_memmove_12_bad()
29{
30 wchar_t * data;
31 data = NULL;
32 if(globalReturnsTrueOrFalse())
33 {
34 /* FLAW: Did not leave space for a null terminator */
35 data = (wchar_t *)malloc(10*sizeof(wchar_t));
36 if (data == NULL) {exit(-1);}
37 }
38 else
39 {
40 /* FIX: Allocate space for a null terminator */
41 data = (wchar_t *)malloc((10+1)*sizeof(wchar_t));
42 if (data == NULL) {exit(-1);}
43 }
44 {
45 wchar_t source[10+1] = SRC_STRING;
46 /* Copy length + 1 to include NUL terminator from source */
47 /* POTENTIAL FLAW: data may not have enough space to hold source */
48 memmove(data, source, (wcslen(source) + 1) * sizeof(wchar_t));❗VULN
49 printWLine(data);
50 free(data);
51 }
52}
53
54#endif /* OMITBAD */
55
56#ifndef OMITGOOD
57
58/* goodG2B() - use goodsource and badsink by changing the "if" so that
59 * both branches use the GoodSource */
60static void goodG2B()
61{
62 wchar_t * data;
63 data = NULL;
64 if(globalReturnsTrueOrFalse())
65 {
66 /* FIX: Allocate space for a null terminator */
67 data = (wchar_t *)malloc((10+1)*sizeof(wchar_t));
68 if (data == NULL) {exit(-1);}
69 }
70 else
71 {
72 /* FIX: Allocate space for a null terminator */
73 data = (wchar_t *)malloc((10+1)*sizeof(wchar_t));
74 if (data == NULL) {exit(-1);}
75 }
76 {
77 wchar_t source[10+1] = SRC_STRING;
78 /* Copy length + 1 to include NUL terminator from source */
79 /* POTENTIAL FLAW: data may not have enough space to hold source */
80 memmove(data, source, (wcslen(source) + 1) * sizeof(wchar_t));
81 printWLine(data);
82 free(data);
83 }
84}
85
86void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_memmove_12_good()
87{
88 goodG2B();
89}
90
91#endif /* OMITGOOD */
92
93/* Below is the main(). It is only used when building this testcase on
94 * its own for testing or for building a binary to use in testing binary
95 * analysis tools. It is not used when compiling all the testcases as one
96 * application, which is how source code analysis tools are tested.
97 */
98
99#ifdef INCLUDEMAIN
100
101int main(int argc, char * argv[])
102{
103 /* seed randomness */
104 srand( (unsigned)time(NULL) );
105#ifndef OMITGOOD
106 printLine("Calling good()...");
107 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_memmove_12_good();
108 printLine("Finished good()");
109#endif /* OMITGOOD */
110#ifndef OMITBAD
111 printLine("Calling bad()...");
112 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_wchar_t_memmove_12_bad();
113 printLine("Finished bad()");
114#endif /* OMITBAD */
115 return 0;
116}
117
118#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5492: CWE126_Buffer_Overread__CWE129_listen_socket_18.c

Nodes: 46 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__CWE129_listen_socket_18.c
3Label Definition File: CWE126_Buffer_Overread__CWE129.label.xml
4Template File: sources-sinks-18.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Overread
9 * BadSource: listen_socket Read data using a listen socket (server side)
10 * GoodSource: Larger than zero but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the upper bound
14 * Flow Variant: 18 Control flow: goto statements
15 *
16 * */
17
18#include "std_testcase.h"
19
20#ifdef _WIN32
21#include <winsock2.h>
22#include <windows.h>
23#include <direct.h>
24#pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */
25#define CLOSE_SOCKET closesocket
26#else
27#include <sys/types.h>
28#include <sys/socket.h>
29#include <netinet/in.h>
30#include <arpa/inet.h>
31#include <unistd.h>
32#define INVALID_SOCKET -1
33#define SOCKET_ERROR -1
34#define CLOSE_SOCKET close
35#define SOCKET int
36#endif
37
38#define TCP_PORT 27015
39#define LISTEN_BACKLOG 5
40#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)
41
42#ifndef OMITBAD
43
44void CWE126_Buffer_Overread__CWE129_listen_socket_18_bad()
45{
46 int data;
47 /* Initialize data */
48 data = -1;
49 goto source;
50source:
51 {
52#ifdef _WIN32
53 WSADATA wsaData;
54 int wsaDataInit = 0;
55#endif
56 int recvResult;
57 struct sockaddr_in service;
58 SOCKET listenSocket = INVALID_SOCKET;
59 SOCKET acceptSocket = INVALID_SOCKET;
60 char inputBuffer[CHAR_ARRAY_SIZE];
61 do
62 {
63#ifdef _WIN32
64 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
65 {
66 break;
67 }
68 wsaDataInit = 1;
69#endif
70 /* POTENTIAL FLAW: Read data using a listen socket */
71 listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
72 if (listenSocket == INVALID_SOCKET)
73 {
74 break;
75 }
76 memset(&service, 0, sizeof(service));
77 service.sin_family = AF_INET;
78 service.sin_addr.s_addr = INADDR_ANY;
79 service.sin_port = htons(TCP_PORT);
80 if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
81 {
82 break;
83 }
84 if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR)
85 {
86 break;
87 }
88 acceptSocket = accept(listenSocket, NULL, NULL);
89 if (acceptSocket == SOCKET_ERROR)
90 {
91 break;
92 }
93 /* Abort on error or the connection was closed */
94 recvResult = recv(acceptSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
95 if (recvResult == SOCKET_ERROR || recvResult == 0)
96 {
97 break;
98 }
99 /* NUL-terminate the string */
100 inputBuffer[recvResult] = '\0';
101 /* Convert to int */
102 data = atoi(inputBuffer);
103 }
104 while (0);
105 if (listenSocket != INVALID_SOCKET)
106 {
107 CLOSE_SOCKET(listenSocket);
108 }
109 if (acceptSocket != INVALID_SOCKET)
110 {
111 CLOSE_SOCKET(acceptSocket);
112 }
113#ifdef _WIN32
114 if (wsaDataInit)
115 {
116 WSACleanup();
117 }
118#endif
119 }
120 goto sink;
121sink:
122 {
123 int buffer[10] = { 0 };
124 /* POTENTIAL FLAW: Attempt to access an index of the array that is above the upper bound
125 * This check does not check the upper bounds of the array index */
126 if (data >= 0)
127 {
128 printIntLine(buffer[data]);❗VULN
129 }
130 else
131 {
132 printLine("ERROR: Array index is negative");
133 }
134 }
135}
136
137#endif /* OMITBAD */
138
139#ifndef OMITGOOD
140
141/* goodB2G() - use badsource and goodsink by reversing the blocks on the second goto statement */
142static void goodB2G()
143{
144 int data;
145 /* Initialize data */
146 data = -1;
147 goto source;
148source:
149 {
150#ifdef _WIN32
151 WSADATA wsaData;
152 int wsaDataInit = 0;
153#endif
154 int recvResult;
155 struct sockaddr_in service;
156 SOCKET listenSocket = INVALID_SOCKET;
157 SOCKET acceptSocket = INVALID_SOCKET;
158 char inputBuffer[CHAR_ARRAY_SIZE];
159 do
160 {
161#ifdef _WIN32
162 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
163 {
164 break;
165 }
166 wsaDataInit = 1;
167#endif
168 /* POTENTIAL FLAW: Read data using a listen socket */
169 listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
170 if (listenSocket == INVALID_SOCKET)
171 {
172 break;
173 }
174 memset(&service, 0, sizeof(service));
175 service.sin_family = AF_INET;
176 service.sin_addr.s_addr = INADDR_ANY;
177 service.sin_port = htons(TCP_PORT);
178 if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
179 {
180 break;
181 }
182 if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR)
183 {
184 break;
185 }
186 acceptSocket = accept(listenSocket, NULL, NULL);
187 if (acceptSocket == SOCKET_ERROR)
188 {
189 break;
190 }
191 /* Abort on error or the connection was closed */
192 recvResult = recv(acceptSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
193 if (recvResult == SOCKET_ERROR || recvResult == 0)
194 {
195 break;
196 }
197 /* NUL-terminate the string */
198 inputBuffer[recvResult] = '\0';
199 /* Convert to int */
200 data = atoi(inputBuffer);
201 }
202 while (0);
203 if (listenSocket != INVALID_SOCKET)
204 {
205 CLOSE_SOCKET(listenSocket);
206 }
207 if (acceptSocket != INVALID_SOCKET)
208 {
209 CLOSE_SOCKET(acceptSocket);
210 }
211#ifdef _WIN32
212 if (wsaDataInit)
213 {
214 WSACleanup();
215 }
216#endif
217 }
218 goto sink;
219sink:
220 {
221 int buffer[10] = { 0 };
222 /* FIX: Properly validate the array index and prevent a buffer overread */
223 if (data >= 0 && data < (10))
224 {
225 printIntLine(buffer[data]);
226 }
227 else
228 {
229 printLine("ERROR: Array index is out-of-bounds");
230 }
231 }
232}
233
234/* goodG2B() - use goodsource and badsink by reversing the blocks on the first goto statement */
235static void goodG2B()
236{
237 int data;
238 /* Initialize data */
239 data = -1;
240 goto source;
241source:
242 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
243 * access an index of the array in the sink that is out-of-bounds */
244 data = 7;
245 goto sink;
246sink:
247 {
248 int buffer[10] = { 0 };
249 /* POTENTIAL FLAW: Attempt to access an index of the array that is above the upper bound
250 * This check does not check the upper bounds of the array index */
251 if (data >= 0)
252 {
253 printIntLine(buffer[data]);
254 }
255 else
256 {
257 printLine("ERROR: Array index is negative");
258 }
259 }
260}
261
262void CWE126_Buffer_Overread__CWE129_listen_socket_18_good()
263{
264 goodB2G();
265 goodG2B();
266}
267
268#endif /* OMITGOOD */
269
270/* Below is the main(). It is only used when building this testcase on
271 its own for testing or for building a binary to use in testing binary
272 analysis tools. It is not used when compiling all the testcases as one
273 application, which is how source code analysis tools are tested. */
274
275#ifdef INCLUDEMAIN
276
277int main(int argc, char * argv[])
278{
279 /* seed randomness */
280 srand( (unsigned)time(NULL) );
281#ifndef OMITGOOD
282 printLine("Calling good()...");
283 CWE126_Buffer_Overread__CWE129_listen_socket_18_good();
284 printLine("Finished good()");
285#endif /* OMITGOOD */
286#ifndef OMITBAD
287 printLine("Calling bad()...");
288 CWE126_Buffer_Overread__CWE129_listen_socket_18_bad();
289 printLine("Finished bad()");
290#endif /* OMITBAD */
291 return 0;
292}
293
294#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6459: CWE121_Stack_Based_Buffer_Overflow__placement_new_declare_10.cpp

Nodes: 10 | Sink Nodes: 3 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__placement_new_declare_10.cpp
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__placement_new.label.xml
4Template File: sources-sinks-10.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data to a small buffer
10 * GoodSource: Initialize data to a buffer large enough to hold a TwoIntsClass
11 * Sinks:
12 * GoodSink: Allocate a new class using placement new and a buffer that is large enough to hold the class
13 * BadSink : Allocate a new class using placement new and a buffer that is too small
14 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)
15 *
16 * */
17
18#include "std_testcase.h"
19
20namespace CWE121_Stack_Based_Buffer_Overflow__placement_new_declare_10
21{
22
23#ifndef OMITBAD
24
25void bad()
26{
27 char * data;
28 char dataBadBuffer[sizeof(OneIntClass)];
29 char dataGoodBuffer[sizeof(TwoIntsClass)];
30 if(globalTrue)
31 {
32 /* POTENTIAL FLAW: Initialize data to a buffer smaller than the sizeof(TwoIntsClass) */
33 data = dataBadBuffer;
34 }
35 if(globalTrue)
36 {
37 {
38 /* The Visual C++ compiler generates a warning if you initialize the class with ().
39 * This will cause the compile to default-initialize the object.
40 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx
41 */
42 /* POTENTIAL FLAW: data may not be large enough to hold a TwoIntsClass */
43 TwoIntsClass * classTwo = new(data) TwoIntsClass;
44 /* Initialize and make use of the class */
45 classTwo->intOne = 5;
46 classTwo->intTwo = 10; /* POTENTIAL FLAW: If sizeof(data) < sizeof(TwoIntsClass) then this line will be a buffer overflow */❗VULN
47 printIntLine(classTwo->intOne);
48 /* skip printing classTwo->intTwo since that could be a buffer overread */
49 }
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodB2G1() - use badsource and goodsink by changing the second globalTrue to globalFalse */
58static void goodB2G1()
59{
60 char * data;
61 char dataBadBuffer[sizeof(OneIntClass)];
62 char dataGoodBuffer[sizeof(TwoIntsClass)];
63 if(globalTrue)
64 {
65 /* POTENTIAL FLAW: Initialize data to a buffer smaller than the sizeof(TwoIntsClass) */
66 data = dataBadBuffer;
67 }
68 if(globalFalse)
69 {
70 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
71 printLine("Benign, fixed string");
72 }
73 else
74 {
75 {
76 /* The Visual C++ compiler generates a warning if you initialize the class with ().
77 * This will cause the compile to default-initialize the object.
78 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx
79 */
80 /* FIX: data will at least be the sizeof(OneIntClass) */
81 OneIntClass * classOne = new(data) OneIntClass;
82 /* Initialize and make use of the class */
83 classOne->intOne = 5;
84 printIntLine(classOne->intOne);
85 }
86 }
87}
88
89/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */
90static void goodB2G2()
91{
92 char * data;
93 char dataBadBuffer[sizeof(OneIntClass)];
94 char dataGoodBuffer[sizeof(TwoIntsClass)];
95 if(globalTrue)
96 {
97 /* POTENTIAL FLAW: Initialize data to a buffer smaller than the sizeof(TwoIntsClass) */
98 data = dataBadBuffer;
99 }
100 if(globalTrue)
101 {
102 {
103 /* The Visual C++ compiler generates a warning if you initialize the class with ().
104 * This will cause the compile to default-initialize the object.
105 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx
106 */
107 /* FIX: data will at least be the sizeof(OneIntClass) */
108 OneIntClass * classOne = new(data) OneIntClass;
109 /* Initialize and make use of the class */
110 classOne->intOne = 5;
111 printIntLine(classOne->intOne);
112 }
113 }
114}
115
116/* goodG2B1() - use goodsource and badsink by changing the first globalTrue to globalFalse */
117static void goodG2B1()
118{
119 char * data;
120 char dataBadBuffer[sizeof(OneIntClass)];
121 char dataGoodBuffer[sizeof(TwoIntsClass)];
122 if(globalFalse)
123 {
124 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
125 printLine("Benign, fixed string");
126 }
127 else
128 {
129 /* FIX: Initialize to a buffer at least the sizeof(TwoIntsClass) */
130 data = dataGoodBuffer;
131 }
132 if(globalTrue)
133 {
134 {
135 /* The Visual C++ compiler generates a warning if you initialize the class with ().
136 * This will cause the compile to default-initialize the object.
137 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx
138 */
139 /* POTENTIAL FLAW: data may not be large enough to hold a TwoIntsClass */
140 TwoIntsClass * classTwo = new(data) TwoIntsClass;
141 /* Initialize and make use of the class */
142 classTwo->intOne = 5;
143 classTwo->intTwo = 10; /* POTENTIAL FLAW: If sizeof(data) < sizeof(TwoIntsClass) then this line will be a buffer overflow */
144 printIntLine(classTwo->intOne);
145 /* skip printing classTwo->intTwo since that could be a buffer overread */
146 }
147 }
148}
149
150/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */
151static void goodG2B2()
152{
153 char * data;
154 char dataBadBuffer[sizeof(OneIntClass)];
155 char dataGoodBuffer[sizeof(TwoIntsClass)];
156 if(globalTrue)
157 {
158 /* FIX: Initialize to a buffer at least the sizeof(TwoIntsClass) */
159 data = dataGoodBuffer;
160 }
161 if(globalTrue)
162 {
163 {
164 /* The Visual C++ compiler generates a warning if you initialize the class with ().
165 * This will cause the compile to default-initialize the object.
166 * See http://msdn.microsoft.com/en-us/library/wewb47ee%28v=VS.100%29.aspx
167 */
168 /* POTENTIAL FLAW: data may not be large enough to hold a TwoIntsClass */
169 TwoIntsClass * classTwo = new(data) TwoIntsClass;
170 /* Initialize and make use of the class */
171 classTwo->intOne = 5;
172 classTwo->intTwo = 10; /* POTENTIAL FLAW: If sizeof(data) < sizeof(TwoIntsClass) then this line will be a buffer overflow */
173 printIntLine(classTwo->intOne);
174 /* skip printing classTwo->intTwo since that could be a buffer overread */
175 }
176 }
177}
178
179void good()
180{
181 goodB2G1();
182 goodB2G2();
183 goodG2B1();
184 goodG2B2();
185}
186
187#endif /* OMITGOOD */
188
189} /* close namespace */
190
191/* Below is the main(). It is only used when building this testcase on
192 its own for testing or for building a binary to use in testing binary
193 analysis tools. It is not used when compiling all the testcases as one
194 application, which is how source code analysis tools are tested. */
195
196#ifdef INCLUDEMAIN
197
198using namespace CWE121_Stack_Based_Buffer_Overflow__placement_new_declare_10; /* so that we can use good and bad easily */
199
200int main(int argc, char * argv[])
201{
202 /* seed randomness */
203 srand( (unsigned)time(NULL) );
204#ifndef OMITGOOD
205 printLine("Calling good()...");
206 good();
207 printLine("Finished good()");
208#endif /* OMITGOOD */
209#ifndef OMITBAD
210 printLine("Calling bad()...");
211 bad();
212 printLine("Finished bad()");
213#endif /* OMITBAD */
214 return 0;
215}
216
217#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 645: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_21.cpp

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_21.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml
4Template File: sources-sink-21.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: ncat
12 * BadSink : Copy string to data using wcsncat
13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_21
22{
23
24#ifndef OMITBAD
25
26/* The static variable below is used to drive control flow in the source function */
27static int badStatic = 0;
28
29static wchar_t * badSource(wchar_t * data)
30{
31 if(badStatic)
32 {
33 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
34 data = new wchar_t[50];
35 data[0] = L'\0'; /* null terminate */
36 }
37 return data;
38}
39
40void bad()
41{
42 wchar_t * data;
43 data = NULL;
44 badStatic = 1; /* true */
45 data = badSource(data);
46 {
47 wchar_t source[100];
48 wmemset(source, L'C', 100-1); /* fill with L'C's */
49 source[100-1] = L'\0'; /* null terminate */
50 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
51 wcsncat(data, source, 100);❗VULN
52 printWLine(data);
53 delete [] data;
54 }
55 ;
56}
57
58#endif /* OMITBAD */
59
60#ifndef OMITGOOD
61
62/* The static variables below are used to drive control flow in the source functions. */
63static int goodG2B1Static = 0;
64static int goodG2B2Static = 0;
65
66/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */
67static wchar_t * goodG2B1Source(wchar_t * data)
68{
69 if(goodG2B1Static)
70 {
71 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
72 printLine("Benign, fixed string");
73 }
74 else
75 {
76 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
77 data = new wchar_t[100];
78 data[0] = L'\0'; /* null terminate */
79 }
80 return data;
81}
82
83static void goodG2B1()
84{
85 wchar_t * data;
86 data = NULL;
87 goodG2B1Static = 0; /* false */
88 data = goodG2B1Source(data);
89 {
90 wchar_t source[100];
91 wmemset(source, L'C', 100-1); /* fill with L'C's */
92 source[100-1] = L'\0'; /* null terminate */
93 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
94 wcsncat(data, source, 100);
95 printWLine(data);
96 delete [] data;
97 }
98 ;
99}
100
101/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */
102static wchar_t * goodG2B2Source(wchar_t * data)
103{
104 if(goodG2B2Static)
105 {
106 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
107 data = new wchar_t[100];
108 data[0] = L'\0'; /* null terminate */
109 }
110 return data;
111}
112
113static void goodG2B2()
114{
115 wchar_t * data;
116 data = NULL;
117 goodG2B2Static = 1; /* true */
118 data = goodG2B2Source(data);
119 {
120 wchar_t source[100];
121 wmemset(source, L'C', 100-1); /* fill with L'C's */
122 source[100-1] = L'\0'; /* null terminate */
123 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than sizeof(data)-strlen(data) */
124 wcsncat(data, source, 100);
125 printWLine(data);
126 delete [] data;
127 }
128 ;
129}
130
131void good()
132{
133 goodG2B1();
134 goodG2B2();
135}
136
137#endif /* OMITGOOD */
138
139} /* close namespace */
140
141/* Below is the main(). It is only used when building this testcase on
142 its own for testing or for building a binary to use in testing binary
143 analysis tools. It is not used when compiling all the testcases as one
144 application, which is how source code analysis tools are tested. */
145
146#ifdef INCLUDEMAIN
147
148using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_ncat_21; /* so that we can use good and bad easily */
149
150int main(int argc, char * argv[])
151{
152 /* seed randomness */
153 srand( (unsigned)time(NULL) );
154#ifndef OMITGOOD
155 printLine("Calling good()...");
156 good();
157 printLine("Finished good()");
158#endif /* OMITGOOD */
159#ifndef OMITBAD
160 printLine("Calling bad()...");
161 bad();
162 printLine("Finished bad()");
163#endif /* OMITBAD */
164 return 0;
165}
166
167#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4822: CWE121_Stack_Based_Buffer_Overflow__CWE129_large_04.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE129_large_04.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE129.label.xml
4Template File: sources-sinks-04.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: large Large index value that is greater than 10-1
10 * GoodSource: Larger than zero but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the upper bound
14 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)
15 *
16 * */
17
18#include "std_testcase.h"
19
20/* The two variables below are declared "const", so a tool should
21 be able to identify that reads of these will always return their
22 initialized values. */
23static const int STATIC_CONST_TRUE = 1; /* true */
24static const int STATIC_CONST_FALSE = 0; /* false */
25
26#ifndef OMITBAD
27
28void CWE121_Stack_Based_Buffer_Overflow__CWE129_large_04_bad()
29{
30 int data;
31 /* Initialize data */
32 data = -1;
33 if(STATIC_CONST_TRUE)
34 {
35 /* POTENTIAL FLAW: Use an invalid index */
36 data = 10;
37 }
38 if(STATIC_CONST_TRUE)
39 {
40 {
41 int i;
42 int buffer[10] = { 0 };
43 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
44 * This code does check to see if the array index is negative */
45 if (data >= 0)
46 {
47 buffer[data] = 1;❗VULN
48 /* Print the array values */
49 for(i = 0; i < 10; i++)
50 {
51 printIntLine(buffer[i]);
52 }
53 }
54 else
55 {
56 printLine("ERROR: Array index is negative.");
57 }
58 }
59 }
60}
61
62#endif /* OMITBAD */
63
64#ifndef OMITGOOD
65
66/* goodB2G1() - use badsource and goodsink by changing the second STATIC_CONST_TRUE to STATIC_CONST_FALSE */
67static void goodB2G1()
68{
69 int data;
70 /* Initialize data */
71 data = -1;
72 if(STATIC_CONST_TRUE)
73 {
74 /* POTENTIAL FLAW: Use an invalid index */
75 data = 10;
76 }
77 if(STATIC_CONST_FALSE)
78 {
79 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
80 printLine("Benign, fixed string");
81 }
82 else
83 {
84 {
85 int i;
86 int buffer[10] = { 0 };
87 /* FIX: Properly validate the array index and prevent a buffer overflow */
88 if (data >= 0 && data < (10))
89 {
90 buffer[data] = 1;
91 /* Print the array values */
92 for(i = 0; i < 10; i++)
93 {
94 printIntLine(buffer[i]);
95 }
96 }
97 else
98 {
99 printLine("ERROR: Array index is out-of-bounds");
100 }
101 }
102 }
103}
104
105/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */
106static void goodB2G2()
107{
108 int data;
109 /* Initialize data */
110 data = -1;
111 if(STATIC_CONST_TRUE)
112 {
113 /* POTENTIAL FLAW: Use an invalid index */
114 data = 10;
115 }
116 if(STATIC_CONST_TRUE)
117 {
118 {
119 int i;
120 int buffer[10] = { 0 };
121 /* FIX: Properly validate the array index and prevent a buffer overflow */
122 if (data >= 0 && data < (10))
123 {
124 buffer[data] = 1;
125 /* Print the array values */
126 for(i = 0; i < 10; i++)
127 {
128 printIntLine(buffer[i]);
129 }
130 }
131 else
132 {
133 printLine("ERROR: Array index is out-of-bounds");
134 }
135 }
136 }
137}
138
139/* goodG2B1() - use goodsource and badsink by changing the first STATIC_CONST_TRUE to STATIC_CONST_FALSE */
140static void goodG2B1()
141{
142 int data;
143 /* Initialize data */
144 data = -1;
145 if(STATIC_CONST_FALSE)
146 {
147 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
148 printLine("Benign, fixed string");
149 }
150 else
151 {
152 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
153 * access an index of the array in the sink that is out-of-bounds */
154 data = 7;
155 }
156 if(STATIC_CONST_TRUE)
157 {
158 {
159 int i;
160 int buffer[10] = { 0 };
161 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
162 * This code does check to see if the array index is negative */
163 if (data >= 0)
164 {
165 buffer[data] = 1;
166 /* Print the array values */
167 for(i = 0; i < 10; i++)
168 {
169 printIntLine(buffer[i]);
170 }
171 }
172 else
173 {
174 printLine("ERROR: Array index is negative.");
175 }
176 }
177 }
178}
179
180/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */
181static void goodG2B2()
182{
183 int data;
184 /* Initialize data */
185 data = -1;
186 if(STATIC_CONST_TRUE)
187 {
188 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
189 * access an index of the array in the sink that is out-of-bounds */
190 data = 7;
191 }
192 if(STATIC_CONST_TRUE)
193 {
194 {
195 int i;
196 int buffer[10] = { 0 };
197 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
198 * This code does check to see if the array index is negative */
199 if (data >= 0)
200 {
201 buffer[data] = 1;
202 /* Print the array values */
203 for(i = 0; i < 10; i++)
204 {
205 printIntLine(buffer[i]);
206 }
207 }
208 else
209 {
210 printLine("ERROR: Array index is negative.");
211 }
212 }
213 }
214}
215
216void CWE121_Stack_Based_Buffer_Overflow__CWE129_large_04_good()
217{
218 goodB2G1();
219 goodB2G2();
220 goodG2B1();
221 goodG2B2();
222}
223
224#endif /* OMITGOOD */
225
226/* Below is the main(). It is only used when building this testcase on
227 its own for testing or for building a binary to use in testing binary
228 analysis tools. It is not used when compiling all the testcases as one
229 application, which is how source code analysis tools are tested. */
230
231#ifdef INCLUDEMAIN
232
233int main(int argc, char * argv[])
234{
235 /* seed randomness */
236 srand( (unsigned)time(NULL) );
237#ifndef OMITGOOD
238 printLine("Calling good()...");
239 CWE121_Stack_Based_Buffer_Overflow__CWE129_large_04_good();
240 printLine("Finished good()");
241#endif /* OMITGOOD */
242#ifndef OMITBAD
243 printLine("Calling bad()...");
244 CWE121_Stack_Based_Buffer_Overflow__CWE129_large_04_bad();
245 printLine("Finished bad()");
246#endif /* OMITBAD */
247 return 0;
248}
249
250#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9456: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_18.cpp

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_18.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml
4Template File: sources-sink-18.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: swprintf
12 * BadSink : Copy string to data using swprintf
13 * Flow Variant: 18 Control flow: goto statements
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifdef _WIN32
22#define SNPRINTF _snwprintf
23#else
24#define SNPRINTF swprintf
25#endif
26
27namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_18
28{
29
30#ifndef OMITBAD
31
32void bad()
33{
34 wchar_t * data;
35 data = NULL;
36 goto source;
37source:
38 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
39 data = new wchar_t[50];
40 data[0] = L'\0'; /* null terminate */
41 {
42 wchar_t source[100];
43 wmemset(source, L'C', 100-1); /* fill with L'C's */
44 source[100-1] = L'\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
46 SNPRINTF(data, 100, L"%s", source);❗VULN
47 printWLine(data);
48 delete [] data;
49 }
50}
51
52#endif /* OMITBAD */
53
54#ifndef OMITGOOD
55
56/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
57static void goodG2B()
58{
59 wchar_t * data;
60 data = NULL;
61 goto source;
62source:
63 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
64 data = new wchar_t[100];
65 data[0] = L'\0'; /* null terminate */
66 {
67 wchar_t source[100];
68 wmemset(source, L'C', 100-1); /* fill with L'C's */
69 source[100-1] = L'\0'; /* null terminate */
70 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
71 SNPRINTF(data, 100, L"%s", source);
72 printWLine(data);
73 delete [] data;
74 }
75}
76
77void good()
78{
79 goodG2B();
80}
81
82#endif /* OMITGOOD */
83
84} /* close namespace */
85
86/* Below is the main(). It is only used when building this testcase on
87 its own for testing or for building a binary to use in testing binary
88 analysis tools. It is not used when compiling all the testcases as one
89 application, which is how source code analysis tools are tested. */
90
91#ifdef INCLUDEMAIN
92
93using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_wchar_t_snprintf_18; /* so that we can use good and bad easily */
94
95int main(int argc, char * argv[])
96{
97 /* seed randomness */
98 srand( (unsigned)time(NULL) );
99#ifndef OMITGOOD
100 printLine("Calling good()...");
101 good();
102 printLine("Finished good()");
103#endif /* OMITGOOD */
104#ifndef OMITBAD
105 printLine("Calling bad()...");
106 bad();
107 printLine("Finished bad()");
108#endif /* OMITBAD */
109 return 0;
110}
111
112#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9626: CWE127_Buffer_Underread__malloc_wchar_t_loop_11.c

Nodes: 19 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_wchar_t_loop_11.c
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-11.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__malloc_wchar_t_loop_11_bad()
24{
25 wchar_t * data;
26 data = NULL;
27 if(globalReturnsTrue())
28 {
29 {
30 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
31 if (dataBuffer == NULL) {exit(-1);}
32 wmemset(dataBuffer, L'A', 100-1);
33 dataBuffer[100-1] = L'\0';
34 /* FLAW: Set data pointer to before the allocated memory buffer */
35 data = dataBuffer - 8;
36 }
37 }
38 {
39 size_t i;
40 wchar_t dest[100];
41 wmemset(dest, L'C', 100-1); /* fill with 'C's */
42 dest[100-1] = L'\0'; /* null terminate */
43 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
44 for (i = 0; i < 100; i++)
45 {
46 dest[i] = data[i];❗VULN
47 }
48 /* Ensure null termination */
49 dest[100-1] = L'\0';
50 printWLine(dest);
51 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
52 * returned by malloc() so can't safely call free() on it */
53 }
54}
55
56#endif /* OMITBAD */
57
58#ifndef OMITGOOD
59
60/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */
61static void goodG2B1()
62{
63 wchar_t * data;
64 data = NULL;
65 if(globalReturnsFalse())
66 {
67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
68 printLine("Benign, fixed string");
69 }
70 else
71 {
72 {
73 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
74 if (dataBuffer == NULL) {exit(-1);}
75 wmemset(dataBuffer, L'A', 100-1);
76 dataBuffer[100-1] = L'\0';
77 /* FIX: Set data pointer to the allocated memory buffer */
78 data = dataBuffer;
79 }
80 }
81 {
82 size_t i;
83 wchar_t dest[100];
84 wmemset(dest, L'C', 100-1); /* fill with 'C's */
85 dest[100-1] = L'\0'; /* null terminate */
86 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
87 for (i = 0; i < 100; i++)
88 {
89 dest[i] = data[i];
90 }
91 /* Ensure null termination */
92 dest[100-1] = L'\0';
93 printWLine(dest);
94 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
95 * returned by malloc() so can't safely call free() on it */
96 }
97}
98
99/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
100static void goodG2B2()
101{
102 wchar_t * data;
103 data = NULL;
104 if(globalReturnsTrue())
105 {
106 {
107 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
108 if (dataBuffer == NULL) {exit(-1);}
109 wmemset(dataBuffer, L'A', 100-1);
110 dataBuffer[100-1] = L'\0';
111 /* FIX: Set data pointer to the allocated memory buffer */
112 data = dataBuffer;
113 }
114 }
115 {
116 size_t i;
117 wchar_t dest[100];
118 wmemset(dest, L'C', 100-1); /* fill with 'C's */
119 dest[100-1] = L'\0'; /* null terminate */
120 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
121 for (i = 0; i < 100; i++)
122 {
123 dest[i] = data[i];
124 }
125 /* Ensure null termination */
126 dest[100-1] = L'\0';
127 printWLine(dest);
128 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
129 * returned by malloc() so can't safely call free() on it */
130 }
131}
132
133void CWE127_Buffer_Underread__malloc_wchar_t_loop_11_good()
134{
135 goodG2B1();
136 goodG2B2();
137}
138
139#endif /* OMITGOOD */
140
141/* Below is the main(). It is only used when building this testcase on
142 * its own for testing or for building a binary to use in testing binary
143 * analysis tools. It is not used when compiling all the testcases as one
144 * application, which is how source code analysis tools are tested.
145 */
146
147#ifdef INCLUDEMAIN
148
149int main(int argc, char * argv[])
150{
151 /* seed randomness */
152 srand( (unsigned)time(NULL) );
153#ifndef OMITGOOD
154 printLine("Calling good()...");
155 CWE127_Buffer_Underread__malloc_wchar_t_loop_11_good();
156 printLine("Finished good()");
157#endif /* OMITGOOD */
158#ifndef OMITBAD
159 printLine("Calling bad()...");
160 CWE127_Buffer_Underread__malloc_wchar_t_loop_11_bad();
161 printLine("Finished bad()");
162#endif /* OMITBAD */
163 return 0;
164}
165
166#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7631: CWE126_Buffer_Overread__char_declare_memcpy_32.c

Nodes: 19 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__char_declare_memcpy_32.c
3Label Definition File: CWE126_Buffer_Overread.stack.label.xml
4Template File: sources-sink-32.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Set data pointer to a small buffer
10 * GoodSource: Set data pointer to a large buffer
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE126_Buffer_Overread__char_declare_memcpy_32_bad()
24{
25 char * data;
26 char * *dataPtr1 = &data;
27 char * *dataPtr2 = &data;
28 char dataBadBuffer[50];
29 char dataGoodBuffer[100];
30 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */
31 dataBadBuffer[50-1] = '\0'; /* null terminate */
32 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */
33 dataGoodBuffer[100-1] = '\0'; /* null terminate */
34 {
35 char * data = *dataPtr1;
36 /* FLAW: Set data pointer to a small buffer */
37 data = dataBadBuffer;
38 *dataPtr1 = data;
39 }
40 {
41 char * data = *dataPtr2;
42 {
43 char dest[100];
44 memset(dest, 'C', 100-1);
45 dest[100-1] = '\0'; /* null terminate */
46 /* POTENTIAL FLAW: using memcpy with the length of the dest where data
47 * could be smaller than dest causing buffer overread */
48 memcpy(dest, data, strlen(dest)*sizeof(char));❗VULN
49 dest[100-1] = '\0';
50 printLine(dest);
51 }
52 }
53}
54
55#endif /* OMITBAD */
56
57#ifndef OMITGOOD
58
59/* goodG2B() uses the GoodSource with the BadSink */
60static void goodG2B()
61{
62 char * data;
63 char * *dataPtr1 = &data;
64 char * *dataPtr2 = &data;
65 char dataBadBuffer[50];
66 char dataGoodBuffer[100];
67 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */
68 dataBadBuffer[50-1] = '\0'; /* null terminate */
69 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */
70 dataGoodBuffer[100-1] = '\0'; /* null terminate */
71 {
72 char * data = *dataPtr1;
73 /* FIX: Set data pointer to a large buffer */
74 data = dataGoodBuffer;
75 *dataPtr1 = data;
76 }
77 {
78 char * data = *dataPtr2;
79 {
80 char dest[100];
81 memset(dest, 'C', 100-1);
82 dest[100-1] = '\0'; /* null terminate */
83 /* POTENTIAL FLAW: using memcpy with the length of the dest where data
84 * could be smaller than dest causing buffer overread */
85 memcpy(dest, data, strlen(dest)*sizeof(char));
86 dest[100-1] = '\0';
87 printLine(dest);
88 }
89 }
90}
91
92void CWE126_Buffer_Overread__char_declare_memcpy_32_good()
93{
94 goodG2B();
95}
96
97#endif /* OMITGOOD */
98
99/* Below is the main(). It is only used when building this testcase on
100 * its own for testing or for building a binary to use in testing binary
101 * analysis tools. It is not used when compiling all the testcases as one
102 * application, which is how source code analysis tools are tested.
103 */
104#ifdef INCLUDEMAIN
105
106int main(int argc, char * argv[])
107{
108 /* seed randomness */
109 srand( (unsigned)time(NULL) );
110#ifndef OMITGOOD
111 printLine("Calling good()...");
112 CWE126_Buffer_Overread__char_declare_memcpy_32_good();
113 printLine("Finished good()");
114#endif /* OMITGOOD */
115#ifndef OMITBAD
116 printLine("Calling bad()...");
117 CWE126_Buffer_Overread__char_declare_memcpy_32_bad();
118 printLine("Finished bad()");
119#endif /* OMITBAD */
120 return 0;
121}
122
123#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7248: CWE121_Stack_Based_Buffer_Overflow__CWE129_connect_socket_21.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE129_connect_socket_21.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE129.label.xml
4Template File: sources-sinks-21.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: connect_socket Read data using a connect socket (client side)
10 * GoodSource: Larger than zero but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the upper bound
14 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.
15 *
16 * */
17
18#include "std_testcase.h"
19
20#ifdef _WIN32
21#include <winsock2.h>
22#include <windows.h>
23#include <direct.h>
24#pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */
25#define CLOSE_SOCKET closesocket
26#else /* NOT _WIN32 */
27#include <sys/types.h>
28#include <sys/socket.h>
29#include <netinet/in.h>
30#include <arpa/inet.h>
31#include <unistd.h>
32#define INVALID_SOCKET -1
33#define SOCKET_ERROR -1
34#define CLOSE_SOCKET close
35#define SOCKET int
36#endif
37
38#define TCP_PORT 27015
39#define IP_ADDRESS "127.0.0.1"
40#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)
41
42#ifndef OMITBAD
43
44/* The static variable below is used to drive control flow in the sink function */
45static int badStatic = 0;
46
47static void badSink(int data)
48{
49 if(badStatic)
50 {
51 {
52 int i;
53 int buffer[10] = { 0 };
54 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
55 * This code does check to see if the array index is negative */
56 if (data >= 0)
57 {
58 buffer[data] = 1;❗VULN
59 /* Print the array values */
60 for(i = 0; i < 10; i++)
61 {
62 printIntLine(buffer[i]);
63 }
64 }
65 else
66 {
67 printLine("ERROR: Array index is negative.");
68 }
69 }
70 }
71}
72
73void CWE121_Stack_Based_Buffer_Overflow__CWE129_connect_socket_21_bad()
74{
75 int data;
76 /* Initialize data */
77 data = -1;
78 {
79#ifdef _WIN32
80 WSADATA wsaData;
81 int wsaDataInit = 0;
82#endif
83 int recvResult;
84 struct sockaddr_in service;
85 SOCKET connectSocket = INVALID_SOCKET;
86 char inputBuffer[CHAR_ARRAY_SIZE];
87 do
88 {
89#ifdef _WIN32
90 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
91 {
92 break;
93 }
94 wsaDataInit = 1;
95#endif
96 /* POTENTIAL FLAW: Read data using a connect socket */
97 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
98 if (connectSocket == INVALID_SOCKET)
99 {
100 break;
101 }
102 memset(&service, 0, sizeof(service));
103 service.sin_family = AF_INET;
104 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);
105 service.sin_port = htons(TCP_PORT);
106 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
107 {
108 break;
109 }
110 /* Abort on error or the connection was closed, make sure to recv one
111 * less char than is in the recv_buf in order to append a terminator */
112 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
113 if (recvResult == SOCKET_ERROR || recvResult == 0)
114 {
115 break;
116 }
117 /* NUL-terminate the string */
118 inputBuffer[recvResult] = '\0';
119 /* Convert to int */
120 data = atoi(inputBuffer);
121 }
122 while (0);
123 if (connectSocket != INVALID_SOCKET)
124 {
125 CLOSE_SOCKET(connectSocket);
126 }
127#ifdef _WIN32
128 if (wsaDataInit)
129 {
130 WSACleanup();
131 }
132#endif
133 }
134 badStatic = 1; /* true */
135 badSink(data);
136}
137
138#endif /* OMITBAD */
139
140#ifndef OMITGOOD
141
142/* The static variables below are used to drive control flow in the sink functions. */
143static int goodB2G1Static = 0;
144static int goodB2G2Static = 0;
145static int goodG2BStatic = 0;
146
147/* goodB2G1() - use badsource and goodsink by setting the static variable to false instead of true */
148static void goodB2G1Sink(int data)
149{
150 if(goodB2G1Static)
151 {
152 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
153 printLine("Benign, fixed string");
154 }
155 else
156 {
157 {
158 int i;
159 int buffer[10] = { 0 };
160 /* FIX: Properly validate the array index and prevent a buffer overflow */
161 if (data >= 0 && data < (10))
162 {
163 buffer[data] = 1;
164 /* Print the array values */
165 for(i = 0; i < 10; i++)
166 {
167 printIntLine(buffer[i]);
168 }
169 }
170 else
171 {
172 printLine("ERROR: Array index is out-of-bounds");
173 }
174 }
175 }
176}
177
178static void goodB2G1()
179{
180 int data;
181 /* Initialize data */
182 data = -1;
183 {
184#ifdef _WIN32
185 WSADATA wsaData;
186 int wsaDataInit = 0;
187#endif
188 int recvResult;
189 struct sockaddr_in service;
190 SOCKET connectSocket = INVALID_SOCKET;
191 char inputBuffer[CHAR_ARRAY_SIZE];
192 do
193 {
194#ifdef _WIN32
195 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
196 {
197 break;
198 }
199 wsaDataInit = 1;
200#endif
201 /* POTENTIAL FLAW: Read data using a connect socket */
202 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
203 if (connectSocket == INVALID_SOCKET)
204 {
205 break;
206 }
207 memset(&service, 0, sizeof(service));
208 service.sin_family = AF_INET;
209 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);
210 service.sin_port = htons(TCP_PORT);
211 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
212 {
213 break;
214 }
215 /* Abort on error or the connection was closed, make sure to recv one
216 * less char than is in the recv_buf in order to append a terminator */
217 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
218 if (recvResult == SOCKET_ERROR || recvResult == 0)
219 {
220 break;
221 }
222 /* NUL-terminate the string */
223 inputBuffer[recvResult] = '\0';
224 /* Convert to int */
225 data = atoi(inputBuffer);
226 }
227 while (0);
228 if (connectSocket != INVALID_SOCKET)
229 {
230 CLOSE_SOCKET(connectSocket);
231 }
232#ifdef _WIN32
233 if (wsaDataInit)
234 {
235 WSACleanup();
236 }
237#endif
238 }
239 goodB2G1Static = 0; /* false */
240 goodB2G1Sink(data);
241}
242
243/* goodB2G2() - use badsource and goodsink by reversing the blocks in the if in the sink function */
244static void goodB2G2Sink(int data)
245{
246 if(goodB2G2Static)
247 {
248 {
249 int i;
250 int buffer[10] = { 0 };
251 /* FIX: Properly validate the array index and prevent a buffer overflow */
252 if (data >= 0 && data < (10))
253 {
254 buffer[data] = 1;
255 /* Print the array values */
256 for(i = 0; i < 10; i++)
257 {
258 printIntLine(buffer[i]);
259 }
260 }
261 else
262 {
263 printLine("ERROR: Array index is out-of-bounds");
264 }
265 }
266 }
267}
268
269static void goodB2G2()
270{
271 int data;
272 /* Initialize data */
273 data = -1;
274 {
275#ifdef _WIN32
276 WSADATA wsaData;
277 int wsaDataInit = 0;
278#endif
279 int recvResult;
280 struct sockaddr_in service;
281 SOCKET connectSocket = INVALID_SOCKET;
282 char inputBuffer[CHAR_ARRAY_SIZE];
283 do
284 {
285#ifdef _WIN32
286 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
287 {
288 break;
289 }
290 wsaDataInit = 1;
291#endif
292 /* POTENTIAL FLAW: Read data using a connect socket */
293 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
294 if (connectSocket == INVALID_SOCKET)
295 {
296 break;
297 }
298 memset(&service, 0, sizeof(service));
299 service.sin_family = AF_INET;
300 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);
301 service.sin_port = htons(TCP_PORT);
302 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
303 {
304 break;
305 }
306 /* Abort on error or the connection was closed, make sure to recv one
307 * less char than is in the recv_buf in order to append a terminator */
308 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
309 if (recvResult == SOCKET_ERROR || recvResult == 0)
310 {
311 break;
312 }
313 /* NUL-terminate the string */
314 inputBuffer[recvResult] = '\0';
315 /* Convert to int */
316 data = atoi(inputBuffer);
317 }
318 while (0);
319 if (connectSocket != INVALID_SOCKET)
320 {
321 CLOSE_SOCKET(connectSocket);
322 }
323#ifdef _WIN32
324 if (wsaDataInit)
325 {
326 WSACleanup();
327 }
328#endif
329 }
330 goodB2G2Static = 1; /* true */
331 goodB2G2Sink(data);
332}
333
334/* goodG2B() - use goodsource and badsink */
335static void goodG2BSink(int data)
336{
337 if(goodG2BStatic)
338 {
339 {
340 int i;
341 int buffer[10] = { 0 };
342 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
343 * This code does check to see if the array index is negative */
344 if (data >= 0)
345 {
346 buffer[data] = 1;
347 /* Print the array values */
348 for(i = 0; i < 10; i++)
349 {
350 printIntLine(buffer[i]);
351 }
352 }
353 else
354 {
355 printLine("ERROR: Array index is negative.");
356 }
357 }
358 }
359}
360
361static void goodG2B()
362{
363 int data;
364 /* Initialize data */
365 data = -1;
366 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
367 * access an index of the array in the sink that is out-of-bounds */
368 data = 7;
369 goodG2BStatic = 1; /* true */
370 goodG2BSink(data);
371}
372
373void CWE121_Stack_Based_Buffer_Overflow__CWE129_connect_socket_21_good()
374{
375 goodB2G1();
376 goodB2G2();
377 goodG2B();
378}
379
380#endif /* OMITGOOD */
381
382/* Below is the main(). It is only used when building this testcase on
383 its own for testing or for building a binary to use in testing binary
384 analysis tools. It is not used when compiling all the testcases as one
385 application, which is how source code analysis tools are tested. */
386
387#ifdef INCLUDEMAIN
388
389int main(int argc, char * argv[])
390{
391 /* seed randomness */
392 srand( (unsigned)time(NULL) );
393#ifndef OMITGOOD
394 printLine("Calling good()...");
395 CWE121_Stack_Based_Buffer_Overflow__CWE129_connect_socket_21_good();
396 printLine("Finished good()");
397#endif /* OMITGOOD */
398#ifndef OMITBAD
399 printLine("Calling bad()...");
400 CWE121_Stack_Based_Buffer_Overflow__CWE129_connect_socket_21_bad();
401 printLine("Finished bad()");
402#endif /* OMITBAD */
403 return 0;
404}
405
406#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7747: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_07.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_07.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml
4Template File: sources-sink-07.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: swprintf
12 * BadSink : Copy data to string using swprintf
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifdef _WIN32
22#define SNPRINTF _snwprintf
23#else
24#define SNPRINTF swprintf
25#endif
26
27/* The variable below is not declared "const", but is never assigned
28 * any other value so a tool should be able to identify that reads of
29 * this will always give its initialized value.
30 */
31static int staticFive = 5;
32
33#ifndef OMITBAD
34
35void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_07_bad()
36{
37 wchar_t * data;
38 data = (wchar_t *)malloc(100*sizeof(wchar_t));
39 if (data == NULL) {exit(-1);}
40 if(staticFive==5)
41 {
42 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
43 wmemset(data, L'A', 100-1); /* fill with L'A's */
44 data[100-1] = L'\0'; /* null terminate */
45 }
46 {
47 wchar_t dest[50] = L"";
48 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
49 SNPRINTF(dest, wcslen(data), L"%s", data);❗VULN
50 printWLine(data);
51 free(data);
52 }
53}
54
55#endif /* OMITBAD */
56
57#ifndef OMITGOOD
58
59/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
60static void goodG2B1()
61{
62 wchar_t * data;
63 data = (wchar_t *)malloc(100*sizeof(wchar_t));
64 if (data == NULL) {exit(-1);}
65 if(staticFive!=5)
66 {
67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
68 printLine("Benign, fixed string");
69 }
70 else
71 {
72 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
73 wmemset(data, L'A', 50-1); /* fill with L'A's */
74 data[50-1] = L'\0'; /* null terminate */
75 }
76 {
77 wchar_t dest[50] = L"";
78 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
79 SNPRINTF(dest, wcslen(data), L"%s", data);
80 printWLine(data);
81 free(data);
82 }
83}
84
85/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
86static void goodG2B2()
87{
88 wchar_t * data;
89 data = (wchar_t *)malloc(100*sizeof(wchar_t));
90 if (data == NULL) {exit(-1);}
91 if(staticFive==5)
92 {
93 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
94 wmemset(data, L'A', 50-1); /* fill with L'A's */
95 data[50-1] = L'\0'; /* null terminate */
96 }
97 {
98 wchar_t dest[50] = L"";
99 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
100 SNPRINTF(dest, wcslen(data), L"%s", data);
101 printWLine(data);
102 free(data);
103 }
104}
105
106void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_07_good()
107{
108 goodG2B1();
109 goodG2B2();
110}
111
112#endif /* OMITGOOD */
113
114/* Below is the main(). It is only used when building this testcase on
115 * its own for testing or for building a binary to use in testing binary
116 * analysis tools. It is not used when compiling all the testcases as one
117 * application, which is how source code analysis tools are tested.
118 */
119
120#ifdef INCLUDEMAIN
121
122int main(int argc, char * argv[])
123{
124 /* seed randomness */
125 srand( (unsigned)time(NULL) );
126#ifndef OMITGOOD
127 printLine("Calling good()...");
128 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_07_good();
129 printLine("Finished good()");
130#endif /* OMITGOOD */
131#ifndef OMITBAD
132 printLine("Calling bad()...");
133 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_07_bad();
134 printLine("Finished bad()");
135#endif /* OMITBAD */
136 return 0;
137}
138
139#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5449: CWE127_Buffer_Underread__malloc_wchar_t_cpy_21.c

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_wchar_t_cpy_21.c
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-21.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: cpy
12 * BadSink : Copy data to string using wcscpy
13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23/* The static variable below is used to drive control flow in the source function */
24static int badStatic = 0;
25
26static wchar_t * badSource(wchar_t * data)
27{
28 if(badStatic)
29 {
30 {
31 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
32 if (dataBuffer == NULL) {exit(-1);}
33 wmemset(dataBuffer, L'A', 100-1);
34 dataBuffer[100-1] = L'\0';
35 /* FLAW: Set data pointer to before the allocated memory buffer */
36 data = dataBuffer - 8;
37 }
38 }
39 return data;
40}
41
42void CWE127_Buffer_Underread__malloc_wchar_t_cpy_21_bad()
43{
44 wchar_t * data;
45 data = NULL;
46 badStatic = 1; /* true */
47 data = badSource(data);
48 {
49 wchar_t dest[100*2];
50 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */
51 dest[100*2-1] = L'\0'; /* null terminate */
52 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
53 wcscpy(dest, data);❗VULN
54 printWLine(dest);
55 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
56 * returned by malloc() so can't safely call free() on it */
57 }
58}
59
60#endif /* OMITBAD */
61
62#ifndef OMITGOOD
63
64/* The static variables below are used to drive control flow in the source functions. */
65static int goodG2B1Static = 0;
66static int goodG2B2Static = 0;
67
68/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */
69static wchar_t * goodG2B1Source(wchar_t * data)
70{
71 if(goodG2B1Static)
72 {
73 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
74 printLine("Benign, fixed string");
75 }
76 else
77 {
78 {
79 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
80 if (dataBuffer == NULL) {exit(-1);}
81 wmemset(dataBuffer, L'A', 100-1);
82 dataBuffer[100-1] = L'\0';
83 /* FIX: Set data pointer to the allocated memory buffer */
84 data = dataBuffer;
85 }
86 }
87 return data;
88}
89
90static void goodG2B1()
91{
92 wchar_t * data;
93 data = NULL;
94 goodG2B1Static = 0; /* false */
95 data = goodG2B1Source(data);
96 {
97 wchar_t dest[100*2];
98 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */
99 dest[100*2-1] = L'\0'; /* null terminate */
100 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
101 wcscpy(dest, data);
102 printWLine(dest);
103 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
104 * returned by malloc() so can't safely call free() on it */
105 }
106}
107
108/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */
109static wchar_t * goodG2B2Source(wchar_t * data)
110{
111 if(goodG2B2Static)
112 {
113 {
114 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
115 if (dataBuffer == NULL) {exit(-1);}
116 wmemset(dataBuffer, L'A', 100-1);
117 dataBuffer[100-1] = L'\0';
118 /* FIX: Set data pointer to the allocated memory buffer */
119 data = dataBuffer;
120 }
121 }
122 return data;
123}
124
125static void goodG2B2()
126{
127 wchar_t * data;
128 data = NULL;
129 goodG2B2Static = 1; /* true */
130 data = goodG2B2Source(data);
131 {
132 wchar_t dest[100*2];
133 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */
134 dest[100*2-1] = L'\0'; /* null terminate */
135 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
136 wcscpy(dest, data);
137 printWLine(dest);
138 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
139 * returned by malloc() so can't safely call free() on it */
140 }
141}
142
143void CWE127_Buffer_Underread__malloc_wchar_t_cpy_21_good()
144{
145 goodG2B1();
146 goodG2B2();
147}
148
149#endif /* OMITGOOD */
150
151/* Below is the main(). It is only used when building this testcase on
152 * its own for testing or for building a binary to use in testing binary
153 * analysis tools. It is not used when compiling all the testcases as one
154 * application, which is how source code analysis tools are tested.
155 */
156
157#ifdef INCLUDEMAIN
158
159int main(int argc, char * argv[])
160{
161 /* seed randomness */
162 srand( (unsigned)time(NULL) );
163#ifndef OMITGOOD
164 printLine("Calling good()...");
165 CWE127_Buffer_Underread__malloc_wchar_t_cpy_21_good();
166 printLine("Finished good()");
167#endif /* OMITGOOD */
168#ifndef OMITBAD
169 printLine("Calling bad()...");
170 CWE127_Buffer_Underread__malloc_wchar_t_cpy_21_bad();
171 printLine("Finished bad()");
172#endif /* OMITBAD */
173 return 0;
174}
175
176#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4922: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_13.c

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_13.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-13.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: loop
12 * BadSink : Copy string to data using a loop
13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_13_bad()
24{
25 char * data;
26 char dataBadBuffer[50];
27 char dataGoodBuffer[100];
28 if(GLOBAL_CONST_FIVE==5)
29 {
30 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
31 * buffer in various memory copying functions using a "large" source buffer. */
32 data = dataBadBuffer;
33 data[0] = '\0'; /* null terminate */
34 }
35 {
36 size_t i;
37 char source[100];
38 memset(source, 'C', 100-1); /* fill with 'C's */
39 source[100-1] = '\0'; /* null terminate */
40 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
41 for (i = 0; i < 100; i++)
42 {
43 data[i] = source[i];❗VULN
44 }
45 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
46 printLine(data);
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */
55static void goodG2B1()
56{
57 char * data;
58 char dataBadBuffer[50];
59 char dataGoodBuffer[100];
60 if(GLOBAL_CONST_FIVE!=5)
61 {
62 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
63 printLine("Benign, fixed string");
64 }
65 else
66 {
67 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
68 data = dataGoodBuffer;
69 data[0] = '\0'; /* null terminate */
70 }
71 {
72 size_t i;
73 char source[100];
74 memset(source, 'C', 100-1); /* fill with 'C's */
75 source[100-1] = '\0'; /* null terminate */
76 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
77 for (i = 0; i < 100; i++)
78 {
79 data[i] = source[i];
80 }
81 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
82 printLine(data);
83 }
84}
85
86/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
87static void goodG2B2()
88{
89 char * data;
90 char dataBadBuffer[50];
91 char dataGoodBuffer[100];
92 if(GLOBAL_CONST_FIVE==5)
93 {
94 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
95 data = dataGoodBuffer;
96 data[0] = '\0'; /* null terminate */
97 }
98 {
99 size_t i;
100 char source[100];
101 memset(source, 'C', 100-1); /* fill with 'C's */
102 source[100-1] = '\0'; /* null terminate */
103 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
104 for (i = 0; i < 100; i++)
105 {
106 data[i] = source[i];
107 }
108 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
109 printLine(data);
110 }
111}
112
113void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_13_good()
114{
115 goodG2B1();
116 goodG2B2();
117}
118
119#endif /* OMITGOOD */
120
121/* Below is the main(). It is only used when building this testcase on
122 * its own for testing or for building a binary to use in testing binary
123 * analysis tools. It is not used when compiling all the testcases as one
124 * application, which is how source code analysis tools are tested.
125 */
126
127#ifdef INCLUDEMAIN
128
129int main(int argc, char * argv[])
130{
131 /* seed randomness */
132 srand( (unsigned)time(NULL) );
133#ifndef OMITGOOD
134 printLine("Calling good()...");
135 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_13_good();
136 printLine("Finished good()");
137#endif /* OMITGOOD */
138#ifndef OMITBAD
139 printLine("Calling bad()...");
140 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_loop_13_bad();
141 printLine("Finished bad()");
142#endif /* OMITBAD */
143 return 0;
144}
145
146#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4011: CWE124_Buffer_Underwrite__new_char_memcpy_04.cpp

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__new_char_memcpy_04.cpp
3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml
4Template File: sources-sink-04.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memcpy
12 * BadSink : Copy string to data using memcpy
13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are declared "const", so a tool should
22 be able to identify that reads of these will always return their
23 initialized values. */
24static const int STATIC_CONST_TRUE = 1; /* true */
25static const int STATIC_CONST_FALSE = 0; /* false */
26
27namespace CWE124_Buffer_Underwrite__new_char_memcpy_04
28{
29
30#ifndef OMITBAD
31
32void bad()
33{
34 char * data;
35 data = NULL;
36 if(STATIC_CONST_TRUE)
37 {
38 {
39 char * dataBuffer = new char[100];
40 memset(dataBuffer, 'A', 100-1);
41 dataBuffer[100-1] = '\0';
42 /* FLAW: Set data pointer to before the allocated memory buffer */
43 data = dataBuffer - 8;
44 }
45 }
46 {
47 char source[100];
48 memset(source, 'C', 100-1); /* fill with 'C's */
49 source[100-1] = '\0'; /* null terminate */
50 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
51 memcpy(data, source, 100*sizeof(char));❗VULN
52 /* Ensure the destination buffer is null terminated */
53 data[100-1] = '\0';
54 printLine(data);
55 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
56 * returned by new [] so can't safely call delete [] on it */
57 }
58}
59
60#endif /* OMITBAD */
61
62#ifndef OMITGOOD
63
64/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */
65static void goodG2B1()
66{
67 char * data;
68 data = NULL;
69 if(STATIC_CONST_FALSE)
70 {
71 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
72 printLine("Benign, fixed string");
73 }
74 else
75 {
76 {
77 char * dataBuffer = new char[100];
78 memset(dataBuffer, 'A', 100-1);
79 dataBuffer[100-1] = '\0';
80 /* FIX: Set data pointer to the allocated memory buffer */
81 data = dataBuffer;
82 }
83 }
84 {
85 char source[100];
86 memset(source, 'C', 100-1); /* fill with 'C's */
87 source[100-1] = '\0'; /* null terminate */
88 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
89 memcpy(data, source, 100*sizeof(char));
90 /* Ensure the destination buffer is null terminated */
91 data[100-1] = '\0';
92 printLine(data);
93 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
94 * returned by new [] so can't safely call delete [] on it */
95 }
96}
97
98/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
99static void goodG2B2()
100{
101 char * data;
102 data = NULL;
103 if(STATIC_CONST_TRUE)
104 {
105 {
106 char * dataBuffer = new char[100];
107 memset(dataBuffer, 'A', 100-1);
108 dataBuffer[100-1] = '\0';
109 /* FIX: Set data pointer to the allocated memory buffer */
110 data = dataBuffer;
111 }
112 }
113 {
114 char source[100];
115 memset(source, 'C', 100-1); /* fill with 'C's */
116 source[100-1] = '\0'; /* null terminate */
117 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
118 memcpy(data, source, 100*sizeof(char));
119 /* Ensure the destination buffer is null terminated */
120 data[100-1] = '\0';
121 printLine(data);
122 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
123 * returned by new [] so can't safely call delete [] on it */
124 }
125}
126
127void good()
128{
129 goodG2B1();
130 goodG2B2();
131}
132
133#endif /* OMITGOOD */
134
135} /* close namespace */
136
137/* Below is the main(). It is only used when building this testcase on
138 its own for testing or for building a binary to use in testing binary
139 analysis tools. It is not used when compiling all the testcases as one
140 application, which is how source code analysis tools are tested. */
141
142#ifdef INCLUDEMAIN
143
144using namespace CWE124_Buffer_Underwrite__new_char_memcpy_04; /* so that we can use good and bad easily */
145
146int main(int argc, char * argv[])
147{
148 /* seed randomness */
149 srand( (unsigned)time(NULL) );
150#ifndef OMITGOOD
151 printLine("Calling good()...");
152 good();
153 printLine("Finished good()");
154#endif /* OMITGOOD */
155#ifndef OMITBAD
156 printLine("Calling bad()...");
157 bad();
158 printLine("Finished bad()");
159#endif /* OMITBAD */
160 return 0;
161}
162
163#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5489: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_memcpy_21.cpp

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_memcpy_21.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml
4Template File: sources-sink-21.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: memcpy
12 * BadSink : Copy string to data using memcpy
13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_memcpy_21
22{
23
24#ifndef OMITBAD
25
26/* The static variable below is used to drive control flow in the source function */
27static int badStatic = 0;
28
29static char * badSource(char * data)
30{
31 if(badStatic)
32 {
33 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
34 data = new char[50];
35 data[0] = '\0'; /* null terminate */
36 }
37 return data;
38}
39
40void bad()
41{
42 char * data;
43 data = NULL;
44 badStatic = 1; /* true */
45 data = badSource(data);
46 {
47 char source[100];
48 memset(source, 'C', 100-1); /* fill with 'C's */
49 source[100-1] = '\0'; /* null terminate */
50 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
51 memcpy(data, source, 100*sizeof(char));❗VULN
52 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
53 printLine(data);
54 delete [] data;
55 }
56 ;
57}
58
59#endif /* OMITBAD */
60
61#ifndef OMITGOOD
62
63/* The static variables below are used to drive control flow in the source functions. */
64static int goodG2B1Static = 0;
65static int goodG2B2Static = 0;
66
67/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */
68static char * goodG2B1Source(char * data)
69{
70 if(goodG2B1Static)
71 {
72 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
73 printLine("Benign, fixed string");
74 }
75 else
76 {
77 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
78 data = new char[100];
79 data[0] = '\0'; /* null terminate */
80 }
81 return data;
82}
83
84static void goodG2B1()
85{
86 char * data;
87 data = NULL;
88 goodG2B1Static = 0; /* false */
89 data = goodG2B1Source(data);
90 {
91 char source[100];
92 memset(source, 'C', 100-1); /* fill with 'C's */
93 source[100-1] = '\0'; /* null terminate */
94 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
95 memcpy(data, source, 100*sizeof(char));
96 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
97 printLine(data);
98 delete [] data;
99 }
100 ;
101}
102
103/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */
104static char * goodG2B2Source(char * data)
105{
106 if(goodG2B2Static)
107 {
108 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
109 data = new char[100];
110 data[0] = '\0'; /* null terminate */
111 }
112 return data;
113}
114
115static void goodG2B2()
116{
117 char * data;
118 data = NULL;
119 goodG2B2Static = 1; /* true */
120 data = goodG2B2Source(data);
121 {
122 char source[100];
123 memset(source, 'C', 100-1); /* fill with 'C's */
124 source[100-1] = '\0'; /* null terminate */
125 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
126 memcpy(data, source, 100*sizeof(char));
127 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
128 printLine(data);
129 delete [] data;
130 }
131 ;
132}
133
134void good()
135{
136 goodG2B1();
137 goodG2B2();
138}
139
140#endif /* OMITGOOD */
141
142} /* close namespace */
143
144/* Below is the main(). It is only used when building this testcase on
145 its own for testing or for building a binary to use in testing binary
146 analysis tools. It is not used when compiling all the testcases as one
147 application, which is how source code analysis tools are tested. */
148
149#ifdef INCLUDEMAIN
150
151using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_memcpy_21; /* so that we can use good and bad easily */
152
153int main(int argc, char * argv[])
154{
155 /* seed randomness */
156 srand( (unsigned)time(NULL) );
157#ifndef OMITGOOD
158 printLine("Calling good()...");
159 good();
160 printLine("Finished good()");
161#endif /* OMITGOOD */
162#ifndef OMITBAD
163 printLine("Calling bad()...");
164 bad();
165 printLine("Finished bad()");
166#endif /* OMITBAD */
167 return 0;
168}
169
170#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3219: CWE127_Buffer_Underread__new_char_memcpy_21.cpp

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__new_char_memcpy_21.cpp
3Label Definition File: CWE127_Buffer_Underread__new.label.xml
4Template File: sources-sink-21.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE127_Buffer_Underread__new_char_memcpy_21
22{
23
24#ifndef OMITBAD
25
26/* The static variable below is used to drive control flow in the source function */
27static int badStatic = 0;
28
29static char * badSource(char * data)
30{
31 if(badStatic)
32 {
33 {
34 char * dataBuffer = new char[100];
35 memset(dataBuffer, 'A', 100-1);
36 dataBuffer[100-1] = '\0';
37 /* FLAW: Set data pointer to before the allocated memory buffer */
38 data = dataBuffer - 8;
39 }
40 }
41 return data;
42}
43
44void bad()
45{
46 char * data;
47 data = NULL;
48 badStatic = 1; /* true */
49 data = badSource(data);
50 {
51 char dest[100];
52 memset(dest, 'C', 100-1); /* fill with 'C's */
53 dest[100-1] = '\0'; /* null terminate */
54 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
55 memcpy(dest, data, 100*sizeof(char));❗VULN
56 /* Ensure null termination */
57 dest[100-1] = '\0';
58 printLine(dest);
59 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
60 * returned by new [] so can't safely call delete [] on it */
61 }
62 ;
63}
64
65#endif /* OMITBAD */
66
67#ifndef OMITGOOD
68
69/* The static variables below are used to drive control flow in the source functions. */
70static int goodG2B1Static = 0;
71static int goodG2B2Static = 0;
72
73/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */
74static char * goodG2B1Source(char * data)
75{
76 if(goodG2B1Static)
77 {
78 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
79 printLine("Benign, fixed string");
80 }
81 else
82 {
83 {
84 char * dataBuffer = new char[100];
85 memset(dataBuffer, 'A', 100-1);
86 dataBuffer[100-1] = '\0';
87 /* FIX: Set data pointer to the allocated memory buffer */
88 data = dataBuffer;
89 }
90 }
91 return data;
92}
93
94static void goodG2B1()
95{
96 char * data;
97 data = NULL;
98 goodG2B1Static = 0; /* false */
99 data = goodG2B1Source(data);
100 {
101 char dest[100];
102 memset(dest, 'C', 100-1); /* fill with 'C's */
103 dest[100-1] = '\0'; /* null terminate */
104 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
105 memcpy(dest, data, 100*sizeof(char));
106 /* Ensure null termination */
107 dest[100-1] = '\0';
108 printLine(dest);
109 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
110 * returned by new [] so can't safely call delete [] on it */
111 }
112 ;
113}
114
115/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */
116static char * goodG2B2Source(char * data)
117{
118 if(goodG2B2Static)
119 {
120 {
121 char * dataBuffer = new char[100];
122 memset(dataBuffer, 'A', 100-1);
123 dataBuffer[100-1] = '\0';
124 /* FIX: Set data pointer to the allocated memory buffer */
125 data = dataBuffer;
126 }
127 }
128 return data;
129}
130
131static void goodG2B2()
132{
133 char * data;
134 data = NULL;
135 goodG2B2Static = 1; /* true */
136 data = goodG2B2Source(data);
137 {
138 char dest[100];
139 memset(dest, 'C', 100-1); /* fill with 'C's */
140 dest[100-1] = '\0'; /* null terminate */
141 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
142 memcpy(dest, data, 100*sizeof(char));
143 /* Ensure null termination */
144 dest[100-1] = '\0';
145 printLine(dest);
146 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
147 * returned by new [] so can't safely call delete [] on it */
148 }
149 ;
150}
151
152void good()
153{
154 goodG2B1();
155 goodG2B2();
156}
157
158#endif /* OMITGOOD */
159
160} /* close namespace */
161
162/* Below is the main(). It is only used when building this testcase on
163 its own for testing or for building a binary to use in testing binary
164 analysis tools. It is not used when compiling all the testcases as one
165 application, which is how source code analysis tools are tested. */
166
167#ifdef INCLUDEMAIN
168
169using namespace CWE127_Buffer_Underread__new_char_memcpy_21; /* so that we can use good and bad easily */
170
171int main(int argc, char * argv[])
172{
173 /* seed randomness */
174 srand( (unsigned)time(NULL) );
175#ifndef OMITGOOD
176 printLine("Calling good()...");
177 good();
178 printLine("Finished good()");
179#endif /* OMITGOOD */
180#ifndef OMITBAD
181 printLine("Calling bad()...");
182 bad();
183 printLine("Finished bad()");
184#endif /* OMITBAD */
185 return 0;
186}
187
188#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4464: CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_memmove_07.c

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_memmove_07.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml
4Template File: sources-sink-07.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Point data to a buffer that does not have space for a NULL terminator
10 * GoodSource: Point data to a buffer that includes space for a NULL terminator
11 * Sink: memmove
12 * BadSink : Copy string to data using memmove()
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING L"AAAAAAAAAA"
25
26/* The variable below is not declared "const", but is never assigned
27 * any other value so a tool should be able to identify that reads of
28 * this will always give its initialized value.
29 */
30static int staticFive = 5;
31
32#ifndef OMITBAD
33
34void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_memmove_07_bad()
35{
36 wchar_t * data;
37 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA((10)*sizeof(wchar_t));
38 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA((10+1)*sizeof(wchar_t));
39 if(staticFive==5)
40 {
41 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing
42 * string copies in the sinks */
43 data = dataBadBuffer;
44 data[0] = L'\0'; /* null terminate */
45 }
46 {
47 wchar_t source[10+1] = SRC_STRING;
48 /* Copy length + 1 to include NUL terminator from source */
49 /* POTENTIAL FLAW: data may not have enough space to hold source */
50 memmove(data, source, (wcslen(source) + 1) * sizeof(wchar_t));❗VULN
51 printWLine(data);
52 }
53}
54
55#endif /* OMITBAD */
56
57#ifndef OMITGOOD
58
59/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
60static void goodG2B1()
61{
62 wchar_t * data;
63 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA((10)*sizeof(wchar_t));
64 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA((10+1)*sizeof(wchar_t));
65 if(staticFive!=5)
66 {
67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
68 printLine("Benign, fixed string");
69 }
70 else
71 {
72 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
73 * string copies in the sinks */
74 data = dataGoodBuffer;
75 data[0] = L'\0'; /* null terminate */
76 }
77 {
78 wchar_t source[10+1] = SRC_STRING;
79 /* Copy length + 1 to include NUL terminator from source */
80 /* POTENTIAL FLAW: data may not have enough space to hold source */
81 memmove(data, source, (wcslen(source) + 1) * sizeof(wchar_t));
82 printWLine(data);
83 }
84}
85
86/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
87static void goodG2B2()
88{
89 wchar_t * data;
90 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA((10)*sizeof(wchar_t));
91 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA((10+1)*sizeof(wchar_t));
92 if(staticFive==5)
93 {
94 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
95 * string copies in the sinks */
96 data = dataGoodBuffer;
97 data[0] = L'\0'; /* null terminate */
98 }
99 {
100 wchar_t source[10+1] = SRC_STRING;
101 /* Copy length + 1 to include NUL terminator from source */
102 /* POTENTIAL FLAW: data may not have enough space to hold source */
103 memmove(data, source, (wcslen(source) + 1) * sizeof(wchar_t));
104 printWLine(data);
105 }
106}
107
108void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_memmove_07_good()
109{
110 goodG2B1();
111 goodG2B2();
112}
113
114#endif /* OMITGOOD */
115
116/* Below is the main(). It is only used when building this testcase on
117 * its own for testing or for building a binary to use in testing binary
118 * analysis tools. It is not used when compiling all the testcases as one
119 * application, which is how source code analysis tools are tested.
120 */
121
122#ifdef INCLUDEMAIN
123
124int main(int argc, char * argv[])
125{
126 /* seed randomness */
127 srand( (unsigned)time(NULL) );
128#ifndef OMITGOOD
129 printLine("Calling good()...");
130 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_memmove_07_good();
131 printLine("Finished good()");
132#endif /* OMITGOOD */
133#ifndef OMITBAD
134 printLine("Calling bad()...");
135 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_alloca_memmove_07_bad();
136 printLine("Finished bad()");
137#endif /* OMITBAD */
138 return 0;
139}
140
141#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8394: CWE124_Buffer_Underwrite__malloc_char_cpy_16.c

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__malloc_char_cpy_16.c
3Label Definition File: CWE124_Buffer_Underwrite__malloc.label.xml
4Template File: sources-sink-16.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: cpy
12 * BadSink : Copy string to data using strcpy
13 * Flow Variant: 16 Control flow: while(1)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE124_Buffer_Underwrite__malloc_char_cpy_16_bad()
24{
25 char * data;
26 data = NULL;
27 while(1)
28 {
29 {
30 char * dataBuffer = (char *)malloc(100*sizeof(char));
31 if (dataBuffer == NULL) {exit(-1);}
32 memset(dataBuffer, 'A', 100-1);
33 dataBuffer[100-1] = '\0';
34 /* FLAW: Set data pointer to before the allocated memory buffer */
35 data = dataBuffer - 8;
36 }
37 break;
38 }
39 {
40 char source[100];
41 memset(source, 'C', 100-1); /* fill with 'C's */
42 source[100-1] = '\0'; /* null terminate */
43 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
44 strcpy(data, source);❗VULN
45 printLine(data);
46 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
47 * returned by malloc() so can't safely call free() on it */
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */
56static void goodG2B()
57{
58 char * data;
59 data = NULL;
60 while(1)
61 {
62 {
63 char * dataBuffer = (char *)malloc(100*sizeof(char));
64 if (dataBuffer == NULL) {exit(-1);}
65 memset(dataBuffer, 'A', 100-1);
66 dataBuffer[100-1] = '\0';
67 /* FIX: Set data pointer to the allocated memory buffer */
68 data = dataBuffer;
69 }
70 break;
71 }
72 {
73 char source[100];
74 memset(source, 'C', 100-1); /* fill with 'C's */
75 source[100-1] = '\0'; /* null terminate */
76 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
77 strcpy(data, source);
78 printLine(data);
79 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
80 * returned by malloc() so can't safely call free() on it */
81 }
82}
83
84void CWE124_Buffer_Underwrite__malloc_char_cpy_16_good()
85{
86 goodG2B();
87}
88
89#endif /* OMITGOOD */
90
91/* Below is the main(). It is only used when building this testcase on
92 * its own for testing or for building a binary to use in testing binary
93 * analysis tools. It is not used when compiling all the testcases as one
94 * application, which is how source code analysis tools are tested.
95 */
96
97#ifdef INCLUDEMAIN
98
99int main(int argc, char * argv[])
100{
101 /* seed randomness */
102 srand( (unsigned)time(NULL) );
103#ifndef OMITGOOD
104 printLine("Calling good()...");
105 CWE124_Buffer_Underwrite__malloc_char_cpy_16_good();
106 printLine("Finished good()");
107#endif /* OMITGOOD */
108#ifndef OMITBAD
109 printLine("Calling bad()...");
110 CWE124_Buffer_Underwrite__malloc_char_cpy_16_bad();
111 printLine("Finished bad()");
112#endif /* OMITBAD */
113 return 0;
114}
115
116#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 957: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_13.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_13.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-13.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: swprintf
12 * BadSink : Copy string to data using swprintf
13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifdef _WIN32
22#define SNPRINTF _snwprintf
23#else
24#define SNPRINTF swprintf
25#endif
26
27#ifndef OMITBAD
28
29void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_13_bad()
30{
31 wchar_t * data;
32 wchar_t dataBadBuffer[50];
33 wchar_t dataGoodBuffer[100];
34 if(GLOBAL_CONST_FIVE==5)
35 {
36 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
37 * buffer in various memory copying functions using a "large" source buffer. */
38 data = dataBadBuffer;
39 data[0] = L'\0'; /* null terminate */
40 }
41 {
42 wchar_t source[100];
43 wmemset(source, L'C', 100-1); /* fill with L'C's */
44 source[100-1] = L'\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
46 SNPRINTF(data, 100, L"%s", source);❗VULN
47 printWLine(data);
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */
56static void goodG2B1()
57{
58 wchar_t * data;
59 wchar_t dataBadBuffer[50];
60 wchar_t dataGoodBuffer[100];
61 if(GLOBAL_CONST_FIVE!=5)
62 {
63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
64 printLine("Benign, fixed string");
65 }
66 else
67 {
68 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
69 data = dataGoodBuffer;
70 data[0] = L'\0'; /* null terminate */
71 }
72 {
73 wchar_t source[100];
74 wmemset(source, L'C', 100-1); /* fill with L'C's */
75 source[100-1] = L'\0'; /* null terminate */
76 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
77 SNPRINTF(data, 100, L"%s", source);
78 printWLine(data);
79 }
80}
81
82/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
83static void goodG2B2()
84{
85 wchar_t * data;
86 wchar_t dataBadBuffer[50];
87 wchar_t dataGoodBuffer[100];
88 if(GLOBAL_CONST_FIVE==5)
89 {
90 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
91 data = dataGoodBuffer;
92 data[0] = L'\0'; /* null terminate */
93 }
94 {
95 wchar_t source[100];
96 wmemset(source, L'C', 100-1); /* fill with L'C's */
97 source[100-1] = L'\0'; /* null terminate */
98 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
99 SNPRINTF(data, 100, L"%s", source);
100 printWLine(data);
101 }
102}
103
104void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_13_good()
105{
106 goodG2B1();
107 goodG2B2();
108}
109
110#endif /* OMITGOOD */
111
112/* Below is the main(). It is only used when building this testcase on
113 * its own for testing or for building a binary to use in testing binary
114 * analysis tools. It is not used when compiling all the testcases as one
115 * application, which is how source code analysis tools are tested.
116 */
117
118#ifdef INCLUDEMAIN
119
120int main(int argc, char * argv[])
121{
122 /* seed randomness */
123 srand( (unsigned)time(NULL) );
124#ifndef OMITGOOD
125 printLine("Calling good()...");
126 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_13_good();
127 printLine("Finished good()");
128#endif /* OMITGOOD */
129#ifndef OMITBAD
130 printLine("Calling bad()...");
131 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_13_bad();
132 printLine("Finished bad()");
133#endif /* OMITBAD */
134 return 0;
135}
136
137#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8843: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_06.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_06.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml
4Template File: sources-sink-06.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is declared "const", so a tool should be able
22 * to identify that reads of this will always give its initialized value. */
23static const int STATIC_CONST_FIVE = 5;
24
25#ifndef OMITBAD
26
27void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_06_bad()
28{
29 wchar_t * data;
30 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
31 data = dataBuffer;
32 if(STATIC_CONST_FIVE==5)
33 {
34 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
35 wmemset(data, L'A', 100-1); /* fill with L'A's */
36 data[100-1] = L'\0'; /* null terminate */
37 }
38 {
39 wchar_t dest[50] = L"";
40 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
41 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));❗VULN
42 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
43 printWLine(data);
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */
52static void goodG2B1()
53{
54 wchar_t * data;
55 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
56 data = dataBuffer;
57 if(STATIC_CONST_FIVE!=5)
58 {
59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
60 printLine("Benign, fixed string");
61 }
62 else
63 {
64 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
65 wmemset(data, L'A', 50-1); /* fill with L'A's */
66 data[50-1] = L'\0'; /* null terminate */
67 }
68 {
69 wchar_t dest[50] = L"";
70 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
71 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));
72 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
73 printWLine(data);
74 }
75}
76
77/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
78static void goodG2B2()
79{
80 wchar_t * data;
81 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
82 data = dataBuffer;
83 if(STATIC_CONST_FIVE==5)
84 {
85 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
86 wmemset(data, L'A', 50-1); /* fill with L'A's */
87 data[50-1] = L'\0'; /* null terminate */
88 }
89 {
90 wchar_t dest[50] = L"";
91 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
92 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));
93 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
94 printWLine(data);
95 }
96}
97
98void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_06_good()
99{
100 goodG2B1();
101 goodG2B2();
102}
103
104#endif /* OMITGOOD */
105
106/* Below is the main(). It is only used when building this testcase on
107 * its own for testing or for building a binary to use in testing binary
108 * analysis tools. It is not used when compiling all the testcases as one
109 * application, which is how source code analysis tools are tested.
110 */
111
112#ifdef INCLUDEMAIN
113
114int main(int argc, char * argv[])
115{
116 /* seed randomness */
117 srand( (unsigned)time(NULL) );
118#ifndef OMITGOOD
119 printLine("Calling good()...");
120 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_06_good();
121 printLine("Finished good()");
122#endif /* OMITGOOD */
123#ifndef OMITBAD
124 printLine("Calling bad()...");
125 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_alloca_memcpy_06_bad();
126 printLine("Finished bad()");
127#endif /* OMITBAD */
128 return 0;
129}
130
131#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4364: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_memcpy_17.cpp

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_memcpy_17.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml
4Template File: sources-sink-17.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: memcpy
12 * BadSink : Copy string to data using memcpy
13 * Flow Variant: 17 Control flow: for loops
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_memcpy_17
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 int i;
29 char * data;
30 data = NULL;
31 for(i = 0; i < 1; i++)
32 {
33 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
34 data = new char[50];
35 data[0] = '\0'; /* null terminate */
36 }
37 {
38 char source[100];
39 memset(source, 'C', 100-1); /* fill with 'C's */
40 source[100-1] = '\0'; /* null terminate */
41 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
42 memcpy(data, source, 100*sizeof(char));❗VULN
43 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
44 printLine(data);
45 delete [] data;
46 }
47}
48
49#endif /* OMITBAD */
50
51#ifndef OMITGOOD
52
53/* goodG2B() - use goodsource in the for statement */
54static void goodG2B()
55{
56 int h;
57 char * data;
58 data = NULL;
59 for(h = 0; h < 1; h++)
60 {
61 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
62 data = new char[100];
63 data[0] = '\0'; /* null terminate */
64 }
65 {
66 char source[100];
67 memset(source, 'C', 100-1); /* fill with 'C's */
68 source[100-1] = '\0'; /* null terminate */
69 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
70 memcpy(data, source, 100*sizeof(char));
71 data[100-1] = '\0'; /* Ensure the destination buffer is null terminated */
72 printLine(data);
73 delete [] data;
74 }
75}
76
77void good()
78{
79 goodG2B();
80}
81
82#endif /* OMITGOOD */
83
84} /* close namespace */
85
86/* Below is the main(). It is only used when building this testcase on
87 its own for testing or for building a binary to use in testing binary
88 analysis tools. It is not used when compiling all the testcases as one
89 application, which is how source code analysis tools are tested. */
90
91#ifdef INCLUDEMAIN
92
93using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_memcpy_17; /* so that we can use good and bad easily */
94
95int main(int argc, char * argv[])
96{
97 /* seed randomness */
98 srand( (unsigned)time(NULL) );
99#ifndef OMITGOOD
100 printLine("Calling good()...");
101 good();
102 printLine("Finished good()");
103#endif /* OMITGOOD */
104#ifndef OMITBAD
105 printLine("Calling bad()...");
106 bad();
107 printLine("Finished bad()");
108#endif /* OMITBAD */
109 return 0;
110}
111
112#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8073: CWE121_Stack_Based_Buffer_Overflow__char_type_overrun_memmove_07.c

Nodes: 8 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__char_type_overrun_memmove_07.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow.label.xml
4Template File: point-flaw-07.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * Sinks: type_overrun_memmove
10 * GoodSink: Perform the memmove() and prevent overwriting part of the structure
11 * BadSink : Overwrite part of the structure by incorrectly using the sizeof(struct) in memmove()
12 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
13 *
14 * */
15
16#include "std_testcase.h"
17
18#ifndef _WIN32
19#include <wchar.h>
20#endif
21
22/* SRC_STR is 32 char long, including the null terminator, for 64-bit architectures */
23#define SRC_STR "0123456789abcdef0123456789abcde"
24
25typedef struct _charVoid
26{
27 char charFirst[16];
28 void * voidSecond;
29 void * voidThird;
30} charVoid;
31
32/* The variable below is not declared "const", but is never assigned
33 any other value so a tool should be able to identify that reads of
34 this will always give its initialized value. */
35static int staticFive = 5;
36
37#ifndef OMITBAD
38
39void CWE121_Stack_Based_Buffer_Overflow__char_type_overrun_memmove_07_bad()
40{
41 if(staticFive==5)
42 {
43 {
44 charVoid structCharVoid;
45 structCharVoid.voidSecond = (void *)SRC_STR;
46 /* Print the initial block pointed to by structCharVoid.voidSecond */
47 printLine((char *)structCharVoid.voidSecond);
48 /* FLAW: Use the sizeof(structCharVoid) which will overwrite the pointer voidSecond */
49 memmove(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid));❗VULN
50 structCharVoid.charFirst[(sizeof(structCharVoid.charFirst)/sizeof(char))-1] = '\0'; /* null terminate the string */
51 printLine((char *)structCharVoid.charFirst);
52 printLine((char *)structCharVoid.voidSecond);
53 }
54 }
55}
56
57#endif /* OMITBAD */
58
59#ifndef OMITGOOD
60
61/* good1() uses if(staticFive!=5) instead of if(staticFive==5) */
62static void good1()
63{
64 if(staticFive!=5)
65 {
66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
67 printLine("Benign, fixed string");
68 }
69 else
70 {
71 {
72 charVoid structCharVoid;
73 structCharVoid.voidSecond = (void *)SRC_STR;
74 /* Print the initial block pointed to by structCharVoid.voidSecond */
75 printLine((char *)structCharVoid.voidSecond);
76 /* FIX: Use sizeof(structCharVoid.charFirst) to avoid overwriting the pointer voidSecond */
77 memmove(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid.charFirst));
78 structCharVoid.charFirst[(sizeof(structCharVoid.charFirst)/sizeof(char))-1] = '\0'; /* null terminate the string */
79 printLine((char *)structCharVoid.charFirst);
80 printLine((char *)structCharVoid.voidSecond);
81 }
82 }
83}
84
85/* good2() reverses the bodies in the if statement */
86static void good2()
87{
88 if(staticFive==5)
89 {
90 {
91 charVoid structCharVoid;
92 structCharVoid.voidSecond = (void *)SRC_STR;
93 /* Print the initial block pointed to by structCharVoid.voidSecond */
94 printLine((char *)structCharVoid.voidSecond);
95 /* FIX: Use sizeof(structCharVoid.charFirst) to avoid overwriting the pointer voidSecond */
96 memmove(structCharVoid.charFirst, SRC_STR, sizeof(structCharVoid.charFirst));
97 structCharVoid.charFirst[(sizeof(structCharVoid.charFirst)/sizeof(char))-1] = '\0'; /* null terminate the string */
98 printLine((char *)structCharVoid.charFirst);
99 printLine((char *)structCharVoid.voidSecond);
100 }
101 }
102}
103
104void CWE121_Stack_Based_Buffer_Overflow__char_type_overrun_memmove_07_good()
105{
106 good1();
107 good2();
108}
109
110#endif /* OMITGOOD */
111
112/* Below is the main(). It is only used when building this testcase on
113 its own for testing or for building a binary to use in testing binary
114 analysis tools. It is not used when compiling all the testcases as one
115 application, which is how source code analysis tools are tested. */
116
117#ifdef INCLUDEMAIN
118
119int main(int argc, char * argv[])
120{
121 /* seed randomness */
122 srand( (unsigned)time(NULL) );
123#ifndef OMITGOOD
124 printLine("Calling good()...");
125 CWE121_Stack_Based_Buffer_Overflow__char_type_overrun_memmove_07_good();
126 printLine("Finished good()");
127#endif /* OMITGOOD */
128#ifndef OMITBAD
129 printLine("Calling bad()...");
130 CWE121_Stack_Based_Buffer_Overflow__char_type_overrun_memmove_07_bad();
131 printLine("Finished bad()");
132#endif /* OMITBAD */
133 return 0;
134}
135
136#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3778: CWE126_Buffer_Overread__char_alloca_memcpy_01.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__char_alloca_memcpy_01.c
3Label Definition File: CWE126_Buffer_Overread.stack.label.xml
4Template File: sources-sink-01.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Set data pointer to a small buffer
10 * GoodSource: Set data pointer to a large buffer
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 01 Baseline
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE126_Buffer_Overread__char_alloca_memcpy_01_bad()
24{
25 char * data;
26 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
27 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
28 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */
29 dataBadBuffer[50-1] = '\0'; /* null terminate */
30 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */
31 dataGoodBuffer[100-1] = '\0'; /* null terminate */
32 /* FLAW: Set data pointer to a small buffer */
33 data = dataBadBuffer;
34 {
35 char dest[100];
36 memset(dest, 'C', 100-1);
37 dest[100-1] = '\0'; /* null terminate */
38 /* POTENTIAL FLAW: using memcpy with the length of the dest where data
39 * could be smaller than dest causing buffer overread */
40 memcpy(dest, data, strlen(dest)*sizeof(char));❗VULN
41 dest[100-1] = '\0';
42 printLine(dest);
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50/* goodG2B uses the GoodSource with the BadSink */
51static void goodG2B()
52{
53 char * data;
54 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
55 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
56 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */
57 dataBadBuffer[50-1] = '\0'; /* null terminate */
58 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */
59 dataGoodBuffer[100-1] = '\0'; /* null terminate */
60 /* FIX: Set data pointer to a large buffer */
61 data = dataGoodBuffer;
62 {
63 char dest[100];
64 memset(dest, 'C', 100-1);
65 dest[100-1] = '\0'; /* null terminate */
66 /* POTENTIAL FLAW: using memcpy with the length of the dest where data
67 * could be smaller than dest causing buffer overread */
68 memcpy(dest, data, strlen(dest)*sizeof(char));
69 dest[100-1] = '\0';
70 printLine(dest);
71 }
72}
73
74void CWE126_Buffer_Overread__char_alloca_memcpy_01_good()
75{
76 goodG2B();
77}
78
79#endif /* OMITGOOD */
80
81/* Below is the main(). It is only used when building this testcase on
82 * its own for testing or for building a binary to use in testing binary
83 * analysis tools. It is not used when compiling all the testcases as one
84 * application, which is how source code analysis tools are tested.
85 */
86
87#ifdef INCLUDEMAIN
88
89int main(int argc, char * argv[])
90{
91 /* seed randomness */
92 srand( (unsigned)time(NULL) );
93#ifndef OMITGOOD
94 printLine("Calling good()...");
95 CWE126_Buffer_Overread__char_alloca_memcpy_01_good();
96 printLine("Finished good()");
97#endif /* OMITGOOD */
98#ifndef OMITBAD
99 printLine("Calling bad()...");
100 CWE126_Buffer_Overread__char_alloca_memcpy_01_bad();
101 printLine("Finished bad()");
102#endif /* OMITBAD */
103 return 0;
104}
105
106#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3999: CWE124_Buffer_Underwrite__char_declare_loop_14.c

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__char_declare_loop_14.c
3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml
4Template File: sources-sink-14.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy string to data using a loop
13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE124_Buffer_Underwrite__char_declare_loop_14_bad()
24{
25 char * data;
26 char dataBuffer[100];
27 memset(dataBuffer, 'A', 100-1);
28 dataBuffer[100-1] = '\0';
29 if(globalFive==5)
30 {
31 /* FLAW: Set data pointer to before the allocated memory buffer */
32 data = dataBuffer - 8;
33 }
34 {
35 size_t i;
36 char source[100];
37 memset(source, 'C', 100-1); /* fill with 'C's */
38 source[100-1] = '\0'; /* null terminate */
39 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
40 for (i = 0; i < 100; i++)
41 {
42 data[i] = source[i];❗VULN
43 }
44 /* Ensure the destination buffer is null terminated */
45 data[100-1] = '\0';
46 printLine(data);
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */
55static void goodG2B1()
56{
57 char * data;
58 char dataBuffer[100];
59 memset(dataBuffer, 'A', 100-1);
60 dataBuffer[100-1] = '\0';
61 if(globalFive!=5)
62 {
63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
64 printLine("Benign, fixed string");
65 }
66 else
67 {
68 /* FIX: Set data pointer to the allocated memory buffer */
69 data = dataBuffer;
70 }
71 {
72 size_t i;
73 char source[100];
74 memset(source, 'C', 100-1); /* fill with 'C's */
75 source[100-1] = '\0'; /* null terminate */
76 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
77 for (i = 0; i < 100; i++)
78 {
79 data[i] = source[i];
80 }
81 /* Ensure the destination buffer is null terminated */
82 data[100-1] = '\0';
83 printLine(data);
84 }
85}
86
87/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
88static void goodG2B2()
89{
90 char * data;
91 char dataBuffer[100];
92 memset(dataBuffer, 'A', 100-1);
93 dataBuffer[100-1] = '\0';
94 if(globalFive==5)
95 {
96 /* FIX: Set data pointer to the allocated memory buffer */
97 data = dataBuffer;
98 }
99 {
100 size_t i;
101 char source[100];
102 memset(source, 'C', 100-1); /* fill with 'C's */
103 source[100-1] = '\0'; /* null terminate */
104 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
105 for (i = 0; i < 100; i++)
106 {
107 data[i] = source[i];
108 }
109 /* Ensure the destination buffer is null terminated */
110 data[100-1] = '\0';
111 printLine(data);
112 }
113}
114
115void CWE124_Buffer_Underwrite__char_declare_loop_14_good()
116{
117 goodG2B1();
118 goodG2B2();
119}
120
121#endif /* OMITGOOD */
122
123/* Below is the main(). It is only used when building this testcase on
124 * its own for testing or for building a binary to use in testing binary
125 * analysis tools. It is not used when compiling all the testcases as one
126 * application, which is how source code analysis tools are tested.
127 */
128
129#ifdef INCLUDEMAIN
130
131int main(int argc, char * argv[])
132{
133 /* seed randomness */
134 srand( (unsigned)time(NULL) );
135#ifndef OMITGOOD
136 printLine("Calling good()...");
137 CWE124_Buffer_Underwrite__char_declare_loop_14_good();
138 printLine("Finished good()");
139#endif /* OMITGOOD */
140#ifndef OMITBAD
141 printLine("Calling bad()...");
142 CWE124_Buffer_Underwrite__char_declare_loop_14_bad();
143 printLine("Finished bad()");
144#endif /* OMITBAD */
145 return 0;
146}
147
148#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5409: CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_15.c

Nodes: 24 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_15.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE129.label.xml
4Template File: sources-sinks-15.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: fscanf Read data from the console using fscanf()
10 * GoodSource: Larger than zero but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the upper bound
14 * Flow Variant: 15 Control flow: switch(6) and switch(7)
15 *
16 * */
17
18#include "std_testcase.h"
19
20#ifndef OMITBAD
21
22void CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_15_bad()
23{
24 int data;
25 /* Initialize data */
26 data = -1;
27 switch(6)
28 {
29 case 6:
30 /* POTENTIAL FLAW: Read data from the console using fscanf() */
31 fscanf(stdin, "%d", &data);
32 break;
33 default:
34 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
35 printLine("Benign, fixed string");
36 break;
37 }
38 switch(7)
39 {
40 case 7:
41 {
42 int i;
43 int buffer[10] = { 0 };
44 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
45 * This code does check to see if the array index is negative */
46 if (data >= 0)
47 {
48 buffer[data] = 1;❗VULN
49 /* Print the array values */
50 for(i = 0; i < 10; i++)
51 {
52 printIntLine(buffer[i]);
53 }
54 }
55 else
56 {
57 printLine("ERROR: Array index is negative.");
58 }
59 }
60 break;
61 default:
62 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
63 printLine("Benign, fixed string");
64 break;
65 }
66}
67
68#endif /* OMITBAD */
69
70#ifndef OMITGOOD
71
72/* goodB2G1() - use badsource and goodsink by changing the second switch to switch(8) */
73static void goodB2G1()
74{
75 int data;
76 /* Initialize data */
77 data = -1;
78 switch(6)
79 {
80 case 6:
81 /* POTENTIAL FLAW: Read data from the console using fscanf() */
82 fscanf(stdin, "%d", &data);
83 break;
84 default:
85 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
86 printLine("Benign, fixed string");
87 break;
88 }
89 switch(8)
90 {
91 case 7:
92 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
93 printLine("Benign, fixed string");
94 break;
95 default:
96 {
97 int i;
98 int buffer[10] = { 0 };
99 /* FIX: Properly validate the array index and prevent a buffer overflow */
100 if (data >= 0 && data < (10))
101 {
102 buffer[data] = 1;
103 /* Print the array values */
104 for(i = 0; i < 10; i++)
105 {
106 printIntLine(buffer[i]);
107 }
108 }
109 else
110 {
111 printLine("ERROR: Array index is out-of-bounds");
112 }
113 }
114 break;
115 }
116}
117
118/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second switch */
119static void goodB2G2()
120{
121 int data;
122 /* Initialize data */
123 data = -1;
124 switch(6)
125 {
126 case 6:
127 /* POTENTIAL FLAW: Read data from the console using fscanf() */
128 fscanf(stdin, "%d", &data);
129 break;
130 default:
131 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
132 printLine("Benign, fixed string");
133 break;
134 }
135 switch(7)
136 {
137 case 7:
138 {
139 int i;
140 int buffer[10] = { 0 };
141 /* FIX: Properly validate the array index and prevent a buffer overflow */
142 if (data >= 0 && data < (10))
143 {
144 buffer[data] = 1;
145 /* Print the array values */
146 for(i = 0; i < 10; i++)
147 {
148 printIntLine(buffer[i]);
149 }
150 }
151 else
152 {
153 printLine("ERROR: Array index is out-of-bounds");
154 }
155 }
156 break;
157 default:
158 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
159 printLine("Benign, fixed string");
160 break;
161 }
162}
163
164/* goodG2B1() - use goodsource and badsink by changing the first switch to switch(5) */
165static void goodG2B1()
166{
167 int data;
168 /* Initialize data */
169 data = -1;
170 switch(5)
171 {
172 case 6:
173 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
174 printLine("Benign, fixed string");
175 break;
176 default:
177 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
178 * access an index of the array in the sink that is out-of-bounds */
179 data = 7;
180 break;
181 }
182 switch(7)
183 {
184 case 7:
185 {
186 int i;
187 int buffer[10] = { 0 };
188 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
189 * This code does check to see if the array index is negative */
190 if (data >= 0)
191 {
192 buffer[data] = 1;
193 /* Print the array values */
194 for(i = 0; i < 10; i++)
195 {
196 printIntLine(buffer[i]);
197 }
198 }
199 else
200 {
201 printLine("ERROR: Array index is negative.");
202 }
203 }
204 break;
205 default:
206 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
207 printLine("Benign, fixed string");
208 break;
209 }
210}
211
212/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first switch */
213static void goodG2B2()
214{
215 int data;
216 /* Initialize data */
217 data = -1;
218 switch(6)
219 {
220 case 6:
221 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
222 * access an index of the array in the sink that is out-of-bounds */
223 data = 7;
224 break;
225 default:
226 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
227 printLine("Benign, fixed string");
228 break;
229 }
230 switch(7)
231 {
232 case 7:
233 {
234 int i;
235 int buffer[10] = { 0 };
236 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
237 * This code does check to see if the array index is negative */
238 if (data >= 0)
239 {
240 buffer[data] = 1;
241 /* Print the array values */
242 for(i = 0; i < 10; i++)
243 {
244 printIntLine(buffer[i]);
245 }
246 }
247 else
248 {
249 printLine("ERROR: Array index is negative.");
250 }
251 }
252 break;
253 default:
254 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
255 printLine("Benign, fixed string");
256 break;
257 }
258}
259
260void CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_15_good()
261{
262 goodB2G1();
263 goodB2G2();
264 goodG2B1();
265 goodG2B2();
266}
267
268#endif /* OMITGOOD */
269
270/* Below is the main(). It is only used when building this testcase on
271 its own for testing or for building a binary to use in testing binary
272 analysis tools. It is not used when compiling all the testcases as one
273 application, which is how source code analysis tools are tested. */
274
275#ifdef INCLUDEMAIN
276
277int main(int argc, char * argv[])
278{
279 /* seed randomness */
280 srand( (unsigned)time(NULL) );
281#ifndef OMITGOOD
282 printLine("Calling good()...");
283 CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_15_good();
284 printLine("Finished good()");
285#endif /* OMITGOOD */
286#ifndef OMITBAD
287 printLine("Calling bad()...");
288 CWE121_Stack_Based_Buffer_Overflow__CWE129_fscanf_15_bad();
289 printLine("Finished bad()");
290#endif /* OMITBAD */
291 return 0;
292}
293
294#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4939: CWE127_Buffer_Underread__wchar_t_alloca_loop_01.c

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__wchar_t_alloca_loop_01.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-01.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 01 Baseline
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__wchar_t_alloca_loop_01_bad()
24{
25 wchar_t * data;
26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
27 wmemset(dataBuffer, L'A', 100-1);
28 dataBuffer[100-1] = L'\0';
29 /* FLAW: Set data pointer to before the allocated memory buffer */
30 data = dataBuffer - 8;
31 {
32 size_t i;
33 wchar_t dest[100];
34 wmemset(dest, L'C', 100-1); /* fill with 'C's */
35 dest[100-1] = L'\0'; /* null terminate */
36 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
37 for (i = 0; i < 100; i++)
38 {
39 dest[i] = data[i];❗VULN
40 }
41 /* Ensure null termination */
42 dest[100-1] = L'\0';
43 printWLine(dest);
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B uses the GoodSource with the BadSink */
52static void goodG2B()
53{
54 wchar_t * data;
55 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
56 wmemset(dataBuffer, L'A', 100-1);
57 dataBuffer[100-1] = L'\0';
58 /* FIX: Set data pointer to the allocated memory buffer */
59 data = dataBuffer;
60 {
61 size_t i;
62 wchar_t dest[100];
63 wmemset(dest, L'C', 100-1); /* fill with 'C's */
64 dest[100-1] = L'\0'; /* null terminate */
65 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
66 for (i = 0; i < 100; i++)
67 {
68 dest[i] = data[i];
69 }
70 /* Ensure null termination */
71 dest[100-1] = L'\0';
72 printWLine(dest);
73 }
74}
75
76void CWE127_Buffer_Underread__wchar_t_alloca_loop_01_good()
77{
78 goodG2B();
79}
80
81#endif /* OMITGOOD */
82
83/* Below is the main(). It is only used when building this testcase on
84 * its own for testing or for building a binary to use in testing binary
85 * analysis tools. It is not used when compiling all the testcases as one
86 * application, which is how source code analysis tools are tested.
87 */
88
89#ifdef INCLUDEMAIN
90
91int main(int argc, char * argv[])
92{
93 /* seed randomness */
94 srand( (unsigned)time(NULL) );
95#ifndef OMITGOOD
96 printLine("Calling good()...");
97 CWE127_Buffer_Underread__wchar_t_alloca_loop_01_good();
98 printLine("Finished good()");
99#endif /* OMITGOOD */
100#ifndef OMITBAD
101 printLine("Calling bad()...");
102 CWE127_Buffer_Underread__wchar_t_alloca_loop_01_bad();
103 printLine("Finished bad()");
104#endif /* OMITBAD */
105 return 0;
106}
107
108#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7661: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_ncpy_33.cpp

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_ncpy_33.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml
4Template File: sources-sink-33.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sinks: ncpy
12 * BadSink : Copy data to string using wcsncpy
13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_ncpy_33
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 wchar_t * data;
29 wchar_t * &dataRef = data;
30 data = new wchar_t[100];
31 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
32 wmemset(data, L'A', 100-1); /* fill with L'A's */
33 data[100-1] = L'\0'; /* null terminate */
34 {
35 wchar_t * data = dataRef;
36 {
37 wchar_t dest[50] = L"";
38 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
39 wcsncpy(dest, data, wcslen(data));❗VULN
40 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
41 printWLine(data);
42 delete [] data;
43 }
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B() uses the GoodSource with the BadSink */
52static void goodG2B()
53{
54 wchar_t * data;
55 wchar_t * &dataRef = data;
56 data = new wchar_t[100];
57 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
58 wmemset(data, L'A', 50-1); /* fill with L'A's */
59 data[50-1] = L'\0'; /* null terminate */
60 {
61 wchar_t * data = dataRef;
62 {
63 wchar_t dest[50] = L"";
64 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
65 wcsncpy(dest, data, wcslen(data));
66 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
67 printWLine(data);
68 delete [] data;
69 }
70 }
71}
72
73void good()
74{
75 goodG2B();
76}
77
78#endif /* OMITGOOD */
79
80} /* close namespace */
81
82/* Below is the main(). It is only used when building this testcase on
83 its own for testing or for building a binary to use in testing binary
84 analysis tools. It is not used when compiling all the testcases as one
85 application, which is how source code analysis tools are tested. */
86#ifdef INCLUDEMAIN
87
88using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_ncpy_33; /* so that we can use good and bad easily */
89
90int main(int argc, char * argv[])
91{
92 /* seed randomness */
93 srand( (unsigned)time(NULL) );
94#ifndef OMITGOOD
95 printLine("Calling good()...");
96 good();
97 printLine("Finished good()");
98#endif /* OMITGOOD */
99#ifndef OMITBAD
100 printLine("Calling bad()...");
101 bad();
102 printLine("Finished bad()");
103#endif /* OMITBAD */
104 return 0;
105}
106
107#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7257: CWE127_Buffer_Underread__malloc_char_memcpy_34.c

Nodes: 17 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_char_memcpy_34.c
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-34.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sinks: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21typedef union
22{
23 char * unionFirst;
24 char * unionSecond;
25} CWE127_Buffer_Underread__malloc_char_memcpy_34_unionType;
26
27#ifndef OMITBAD
28
29void CWE127_Buffer_Underread__malloc_char_memcpy_34_bad()
30{
31 char * data;
32 CWE127_Buffer_Underread__malloc_char_memcpy_34_unionType myUnion;
33 data = NULL;
34 {
35 char * dataBuffer = (char *)malloc(100*sizeof(char));
36 if (dataBuffer == NULL) {exit(-1);}
37 memset(dataBuffer, 'A', 100-1);
38 dataBuffer[100-1] = '\0';
39 /* FLAW: Set data pointer to before the allocated memory buffer */
40 data = dataBuffer - 8;
41 }
42 myUnion.unionFirst = data;
43 {
44 char * data = myUnion.unionSecond;
45 {
46 char dest[100];
47 memset(dest, 'C', 100-1); /* fill with 'C's */
48 dest[100-1] = '\0'; /* null terminate */
49 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
50 memcpy(dest, data, 100*sizeof(char));❗VULN
51 /* Ensure null termination */
52 dest[100-1] = '\0';
53 printLine(dest);
54 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
55 * returned by malloc() so can't safely call free() on it */
56 }
57 }
58}
59
60#endif /* OMITBAD */
61
62#ifndef OMITGOOD
63
64/* goodG2B() uses the GoodSource with the BadSink */
65static void goodG2B()
66{
67 char * data;
68 CWE127_Buffer_Underread__malloc_char_memcpy_34_unionType myUnion;
69 data = NULL;
70 {
71 char * dataBuffer = (char *)malloc(100*sizeof(char));
72 if (dataBuffer == NULL) {exit(-1);}
73 memset(dataBuffer, 'A', 100-1);
74 dataBuffer[100-1] = '\0';
75 /* FIX: Set data pointer to the allocated memory buffer */
76 data = dataBuffer;
77 }
78 myUnion.unionFirst = data;
79 {
80 char * data = myUnion.unionSecond;
81 {
82 char dest[100];
83 memset(dest, 'C', 100-1); /* fill with 'C's */
84 dest[100-1] = '\0'; /* null terminate */
85 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
86 memcpy(dest, data, 100*sizeof(char));
87 /* Ensure null termination */
88 dest[100-1] = '\0';
89 printLine(dest);
90 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
91 * returned by malloc() so can't safely call free() on it */
92 }
93 }
94}
95
96void CWE127_Buffer_Underread__malloc_char_memcpy_34_good()
97{
98 goodG2B();
99}
100
101#endif /* OMITGOOD */
102
103/* Below is the main(). It is only used when building this testcase on
104 * its own for testing or for building a binary to use in testing binary
105 * analysis tools. It is not used when compiling all the testcases as one
106 * application, which is how source code analysis tools are tested.
107 */
108#ifdef INCLUDEMAIN
109
110int main(int argc, char * argv[])
111{
112 /* seed randomness */
113 srand( (unsigned)time(NULL) );
114#ifndef OMITGOOD
115 printLine("Calling good()...");
116 CWE127_Buffer_Underread__malloc_char_memcpy_34_good();
117 printLine("Finished good()");
118#endif /* OMITGOOD */
119#ifndef OMITBAD
120 printLine("Calling bad()...");
121 CWE127_Buffer_Underread__malloc_char_memcpy_34_bad();
122 printLine("Finished bad()");
123#endif /* OMITBAD */
124 return 0;
125}
126
127#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4787: CWE127_Buffer_Underread__malloc_wchar_t_loop_01.c

Nodes: 18 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_wchar_t_loop_01.c
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-01.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 01 Baseline
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__malloc_wchar_t_loop_01_bad()
24{
25 wchar_t * data;
26 data = NULL;
27 {
28 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
29 if (dataBuffer == NULL) {exit(-1);}
30 wmemset(dataBuffer, L'A', 100-1);
31 dataBuffer[100-1] = L'\0';
32 /* FLAW: Set data pointer to before the allocated memory buffer */
33 data = dataBuffer - 8;
34 }
35 {
36 size_t i;
37 wchar_t dest[100];
38 wmemset(dest, L'C', 100-1); /* fill with 'C's */
39 dest[100-1] = L'\0'; /* null terminate */
40 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
41 for (i = 0; i < 100; i++)
42 {
43 dest[i] = data[i];❗VULN
44 }
45 /* Ensure null termination */
46 dest[100-1] = L'\0';
47 printWLine(dest);
48 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
49 * returned by malloc() so can't safely call free() on it */
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B uses the GoodSource with the BadSink */
58static void goodG2B()
59{
60 wchar_t * data;
61 data = NULL;
62 {
63 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
64 if (dataBuffer == NULL) {exit(-1);}
65 wmemset(dataBuffer, L'A', 100-1);
66 dataBuffer[100-1] = L'\0';
67 /* FIX: Set data pointer to the allocated memory buffer */
68 data = dataBuffer;
69 }
70 {
71 size_t i;
72 wchar_t dest[100];
73 wmemset(dest, L'C', 100-1); /* fill with 'C's */
74 dest[100-1] = L'\0'; /* null terminate */
75 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
76 for (i = 0; i < 100; i++)
77 {
78 dest[i] = data[i];
79 }
80 /* Ensure null termination */
81 dest[100-1] = L'\0';
82 printWLine(dest);
83 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
84 * returned by malloc() so can't safely call free() on it */
85 }
86}
87
88void CWE127_Buffer_Underread__malloc_wchar_t_loop_01_good()
89{
90 goodG2B();
91}
92
93#endif /* OMITGOOD */
94
95/* Below is the main(). It is only used when building this testcase on
96 * its own for testing or for building a binary to use in testing binary
97 * analysis tools. It is not used when compiling all the testcases as one
98 * application, which is how source code analysis tools are tested.
99 */
100
101#ifdef INCLUDEMAIN
102
103int main(int argc, char * argv[])
104{
105 /* seed randomness */
106 srand( (unsigned)time(NULL) );
107#ifndef OMITGOOD
108 printLine("Calling good()...");
109 CWE127_Buffer_Underread__malloc_wchar_t_loop_01_good();
110 printLine("Finished good()");
111#endif /* OMITGOOD */
112#ifndef OMITBAD
113 printLine("Calling bad()...");
114 CWE127_Buffer_Underread__malloc_wchar_t_loop_01_bad();
115 printLine("Finished bad()");
116#endif /* OMITBAD */
117 return 0;
118}
119
120#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3529: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_06.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_06.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-06.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: swprintf
12 * BadSink : Copy string to data using swprintf
13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifdef _WIN32
22#define SNPRINTF _snwprintf
23#else
24#define SNPRINTF swprintf
25#endif
26
27/* The variable below is declared "const", so a tool should be able
28 * to identify that reads of this will always give its initialized value. */
29static const int STATIC_CONST_FIVE = 5;
30
31#ifndef OMITBAD
32
33void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_06_bad()
34{
35 wchar_t * data;
36 wchar_t dataBadBuffer[50];
37 wchar_t dataGoodBuffer[100];
38 if(STATIC_CONST_FIVE==5)
39 {
40 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
41 * buffer in various memory copying functions using a "large" source buffer. */
42 data = dataBadBuffer;
43 data[0] = L'\0'; /* null terminate */
44 }
45 {
46 wchar_t source[100];
47 wmemset(source, L'C', 100-1); /* fill with L'C's */
48 source[100-1] = L'\0'; /* null terminate */
49 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
50 SNPRINTF(data, 100, L"%s", source);❗VULN
51 printWLine(data);
52 }
53}
54
55#endif /* OMITBAD */
56
57#ifndef OMITGOOD
58
59/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */
60static void goodG2B1()
61{
62 wchar_t * data;
63 wchar_t dataBadBuffer[50];
64 wchar_t dataGoodBuffer[100];
65 if(STATIC_CONST_FIVE!=5)
66 {
67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
68 printLine("Benign, fixed string");
69 }
70 else
71 {
72 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
73 data = dataGoodBuffer;
74 data[0] = L'\0'; /* null terminate */
75 }
76 {
77 wchar_t source[100];
78 wmemset(source, L'C', 100-1); /* fill with L'C's */
79 source[100-1] = L'\0'; /* null terminate */
80 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
81 SNPRINTF(data, 100, L"%s", source);
82 printWLine(data);
83 }
84}
85
86/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
87static void goodG2B2()
88{
89 wchar_t * data;
90 wchar_t dataBadBuffer[50];
91 wchar_t dataGoodBuffer[100];
92 if(STATIC_CONST_FIVE==5)
93 {
94 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
95 data = dataGoodBuffer;
96 data[0] = L'\0'; /* null terminate */
97 }
98 {
99 wchar_t source[100];
100 wmemset(source, L'C', 100-1); /* fill with L'C's */
101 source[100-1] = L'\0'; /* null terminate */
102 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
103 SNPRINTF(data, 100, L"%s", source);
104 printWLine(data);
105 }
106}
107
108void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_06_good()
109{
110 goodG2B1();
111 goodG2B2();
112}
113
114#endif /* OMITGOOD */
115
116/* Below is the main(). It is only used when building this testcase on
117 * its own for testing or for building a binary to use in testing binary
118 * analysis tools. It is not used when compiling all the testcases as one
119 * application, which is how source code analysis tools are tested.
120 */
121
122#ifdef INCLUDEMAIN
123
124int main(int argc, char * argv[])
125{
126 /* seed randomness */
127 srand( (unsigned)time(NULL) );
128#ifndef OMITGOOD
129 printLine("Calling good()...");
130 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_06_good();
131 printLine("Finished good()");
132#endif /* OMITGOOD */
133#ifndef OMITBAD
134 printLine("Calling bad()...");
135 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_declare_snprintf_06_bad();
136 printLine("Finished bad()");
137#endif /* OMITBAD */
138 return 0;
139}
140
141#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7045: CWE122_Heap_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_04.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_04.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow.label.xml
4Template File: point-flaw-04.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * Sinks: type_overrun_memcpy
10 * GoodSink: Perform the memcpy() and prevent overwriting part of the structure
11 * BadSink : Overwrite part of the structure by incorrectly using the sizeof(struct) in memcpy()
12 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)
13 *
14 * */
15
16#include "std_testcase.h"
17
18#ifndef _WIN32
19#include <wchar.h>
20#endif
21
22#define SRC_STR L"0123456789abcdef0123456789abcde"
23
24typedef struct _charVoid
25{
26 wchar_t charFirst[16];
27 void * voidSecond;
28 void * voidThird;
29} charVoid;
30
31/* The two variables below are declared "const", so a tool should
32 be able to identify that reads of these will always return their
33 initialized values. */
34static const int STATIC_CONST_TRUE = 1; /* true */
35static const int STATIC_CONST_FALSE = 0; /* false */
36
37#ifndef OMITBAD
38
39void CWE122_Heap_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_04_bad()
40{
41 if(STATIC_CONST_TRUE)
42 {
43 {
44 charVoid * structCharVoid = (charVoid *)malloc(sizeof(charVoid));
45 if (structCharVoid == NULL) {exit(-1);}
46 structCharVoid->voidSecond = (void *)SRC_STR;
47 /* Print the initial block pointed to by structCharVoid->voidSecond */
48 printWLine((wchar_t *)structCharVoid->voidSecond);
49 /* FLAW: Use the sizeof(*structCharVoid) which will overwrite the pointer y */
50 memcpy(structCharVoid->charFirst, SRC_STR, sizeof(*structCharVoid));❗VULN
51 structCharVoid->charFirst[(sizeof(structCharVoid->charFirst)/sizeof(wchar_t))-1] = L'\0'; /* null terminate the string */
52 printWLine((wchar_t *)structCharVoid->charFirst);
53 printWLine((wchar_t *)structCharVoid->voidSecond);
54 free(structCharVoid);
55 }
56 }
57}
58
59#endif /* OMITBAD */
60
61#ifndef OMITGOOD
62
63/* good1() uses if(STATIC_CONST_FALSE) instead of if(STATIC_CONST_TRUE) */
64static void good1()
65{
66 if(STATIC_CONST_FALSE)
67 {
68 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
69 printLine("Benign, fixed string");
70 }
71 else
72 {
73 {
74 charVoid * structCharVoid = (charVoid *)malloc(sizeof(charVoid));
75 if (structCharVoid == NULL) {exit(-1);}
76 structCharVoid->voidSecond = (void *)SRC_STR;
77 /* Print the initial block pointed to by structCharVoid->voidSecond */
78 printWLine((wchar_t *)structCharVoid->voidSecond);
79 /* FIX: Use the sizeof(structCharVoid->charFirst) to avoid overwriting the pointer y */
80 memcpy(structCharVoid->charFirst, SRC_STR, sizeof(structCharVoid->charFirst));
81 structCharVoid->charFirst[(sizeof(structCharVoid->charFirst)/sizeof(wchar_t))-1] = L'\0'; /* null terminate the string */
82 printWLine((wchar_t *)structCharVoid->charFirst);
83 printWLine((wchar_t *)structCharVoid->voidSecond);
84 free(structCharVoid);
85 }
86 }
87}
88
89/* good2() reverses the bodies in the if statement */
90static void good2()
91{
92 if(STATIC_CONST_TRUE)
93 {
94 {
95 charVoid * structCharVoid = (charVoid *)malloc(sizeof(charVoid));
96 if (structCharVoid == NULL) {exit(-1);}
97 structCharVoid->voidSecond = (void *)SRC_STR;
98 /* Print the initial block pointed to by structCharVoid->voidSecond */
99 printWLine((wchar_t *)structCharVoid->voidSecond);
100 /* FIX: Use the sizeof(structCharVoid->charFirst) to avoid overwriting the pointer y */
101 memcpy(structCharVoid->charFirst, SRC_STR, sizeof(structCharVoid->charFirst));
102 structCharVoid->charFirst[(sizeof(structCharVoid->charFirst)/sizeof(wchar_t))-1] = L'\0'; /* null terminate the string */
103 printWLine((wchar_t *)structCharVoid->charFirst);
104 printWLine((wchar_t *)structCharVoid->voidSecond);
105 free(structCharVoid);
106 }
107 }
108}
109
110void CWE122_Heap_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_04_good()
111{
112 good1();
113 good2();
114}
115
116#endif /* OMITGOOD */
117
118/* Below is the main(). It is only used when building this testcase on
119 its own for testing or for building a binary to use in testing binary
120 analysis tools. It is not used when compiling all the testcases as one
121 application, which is how source code analysis tools are tested. */
122
123#ifdef INCLUDEMAIN
124
125int main(int argc, char * argv[])
126{
127 /* seed randomness */
128 srand( (unsigned)time(NULL) );
129#ifndef OMITGOOD
130 printLine("Calling good()...");
131 CWE122_Heap_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_04_good();
132 printLine("Finished good()");
133#endif /* OMITGOOD */
134#ifndef OMITBAD
135 printLine("Calling bad()...");
136 CWE122_Heap_Based_Buffer_Overflow__wchar_t_type_overrun_memcpy_04_bad();
137 printLine("Finished bad()");
138#endif /* OMITBAD */
139 return 0;
140}
141
142#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5488: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_snprintf_11.cpp

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_snprintf_11.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805.string.label.xml
4Template File: sources-sink-11.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: snprintf
12 * BadSink : Copy string to data using snprintf
13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifdef _WIN32
22#define SNPRINTF _snprintf
23#else
24#define SNPRINTF snprintf
25#endif
26
27namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_snprintf_11
28{
29
30#ifndef OMITBAD
31
32void bad()
33{
34 char * data;
35 data = NULL;
36 if(globalReturnsTrue())
37 {
38 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
39 data = new char[50];
40 data[0] = '\0'; /* null terminate */
41 }
42 {
43 char source[100];
44 memset(source, 'C', 100-1); /* fill with 'C's */
45 source[100-1] = '\0'; /* null terminate */
46 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
47 SNPRINTF(data, 100, "%s", source);❗VULN
48 printLine(data);
49 delete [] data;
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */
58static void goodG2B1()
59{
60 char * data;
61 data = NULL;
62 if(globalReturnsFalse())
63 {
64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
65 printLine("Benign, fixed string");
66 }
67 else
68 {
69 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
70 data = new char[100];
71 data[0] = '\0'; /* null terminate */
72 }
73 {
74 char source[100];
75 memset(source, 'C', 100-1); /* fill with 'C's */
76 source[100-1] = '\0'; /* null terminate */
77 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
78 SNPRINTF(data, 100, "%s", source);
79 printLine(data);
80 delete [] data;
81 }
82}
83
84/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
85static void goodG2B2()
86{
87 char * data;
88 data = NULL;
89 if(globalReturnsTrue())
90 {
91 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
92 data = new char[100];
93 data[0] = '\0'; /* null terminate */
94 }
95 {
96 char source[100];
97 memset(source, 'C', 100-1); /* fill with 'C's */
98 source[100-1] = '\0'; /* null terminate */
99 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
100 SNPRINTF(data, 100, "%s", source);
101 printLine(data);
102 delete [] data;
103 }
104}
105
106void good()
107{
108 goodG2B1();
109 goodG2B2();
110}
111
112#endif /* OMITGOOD */
113
114} /* close namespace */
115
116/* Below is the main(). It is only used when building this testcase on
117 its own for testing or for building a binary to use in testing binary
118 analysis tools. It is not used when compiling all the testcases as one
119 application, which is how source code analysis tools are tested. */
120
121#ifdef INCLUDEMAIN
122
123using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE805_char_snprintf_11; /* so that we can use good and bad easily */
124
125int main(int argc, char * argv[])
126{
127 /* seed randomness */
128 srand( (unsigned)time(NULL) );
129#ifndef OMITGOOD
130 printLine("Calling good()...");
131 good();
132 printLine("Finished good()");
133#endif /* OMITGOOD */
134#ifndef OMITBAD
135 printLine("Calling bad()...");
136 bad();
137 printLine("Finished bad()");
138#endif /* OMITBAD */
139 return 0;
140}
141
142#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3156: CWE127_Buffer_Underread__wchar_t_alloca_cpy_09.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__wchar_t_alloca_cpy_09.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-09.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: cpy
12 * BadSink : Copy data to string using wcscpy
13 * Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__wchar_t_alloca_cpy_09_bad()
24{
25 wchar_t * data;
26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
27 wmemset(dataBuffer, L'A', 100-1);
28 dataBuffer[100-1] = L'\0';
29 if(GLOBAL_CONST_TRUE)
30 {
31 /* FLAW: Set data pointer to before the allocated memory buffer */
32 data = dataBuffer - 8;
33 }
34 {
35 wchar_t dest[100*2];
36 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */
37 dest[100*2-1] = L'\0'; /* null terminate */
38 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
39 wcscpy(dest, data);❗VULN
40 printWLine(dest);
41 }
42}
43
44#endif /* OMITBAD */
45
46#ifndef OMITGOOD
47
48/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */
49static void goodG2B1()
50{
51 wchar_t * data;
52 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
53 wmemset(dataBuffer, L'A', 100-1);
54 dataBuffer[100-1] = L'\0';
55 if(GLOBAL_CONST_FALSE)
56 {
57 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
58 printLine("Benign, fixed string");
59 }
60 else
61 {
62 /* FIX: Set data pointer to the allocated memory buffer */
63 data = dataBuffer;
64 }
65 {
66 wchar_t dest[100*2];
67 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */
68 dest[100*2-1] = L'\0'; /* null terminate */
69 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
70 wcscpy(dest, data);
71 printWLine(dest);
72 }
73}
74
75/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
76static void goodG2B2()
77{
78 wchar_t * data;
79 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
80 wmemset(dataBuffer, L'A', 100-1);
81 dataBuffer[100-1] = L'\0';
82 if(GLOBAL_CONST_TRUE)
83 {
84 /* FIX: Set data pointer to the allocated memory buffer */
85 data = dataBuffer;
86 }
87 {
88 wchar_t dest[100*2];
89 wmemset(dest, L'C', 100*2-1); /* fill with 'C's */
90 dest[100*2-1] = L'\0'; /* null terminate */
91 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
92 wcscpy(dest, data);
93 printWLine(dest);
94 }
95}
96
97void CWE127_Buffer_Underread__wchar_t_alloca_cpy_09_good()
98{
99 goodG2B1();
100 goodG2B2();
101}
102
103#endif /* OMITGOOD */
104
105/* Below is the main(). It is only used when building this testcase on
106 * its own for testing or for building a binary to use in testing binary
107 * analysis tools. It is not used when compiling all the testcases as one
108 * application, which is how source code analysis tools are tested.
109 */
110
111#ifdef INCLUDEMAIN
112
113int main(int argc, char * argv[])
114{
115 /* seed randomness */
116 srand( (unsigned)time(NULL) );
117#ifndef OMITGOOD
118 printLine("Calling good()...");
119 CWE127_Buffer_Underread__wchar_t_alloca_cpy_09_good();
120 printLine("Finished good()");
121#endif /* OMITGOOD */
122#ifndef OMITBAD
123 printLine("Calling bad()...");
124 CWE127_Buffer_Underread__wchar_t_alloca_cpy_09_bad();
125 printLine("Finished bad()");
126#endif /* OMITBAD */
127 return 0;
128}
129
130#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2164: CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_21.c

Nodes: 8 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_21.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE131.label.xml
4Template File: sources-sink-21.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory without using sizeof(int)
10 * GoodSource: Allocate memory using sizeof(int)
11 * Sink: memmove
12 * BadSink : Copy array to data using memmove()
13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21/* The static variable below is used to drive control flow in the source function */
22static int badStatic = 0;
23
24static int * badSource(int * data)
25{
26 if(badStatic)
27 {
28 /* FLAW: Allocate memory without using sizeof(int) */
29 data = (int *)malloc(10);
30 if (data == NULL) {exit(-1);}
31 }
32 return data;
33}
34
35void CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_21_bad()
36{
37 int * data;
38 data = NULL;
39 badStatic = 1; /* true */
40 data = badSource(data);
41 {
42 int source[10] = {0};
43 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
44 memmove(data, source, 10*sizeof(int));❗VULN
45 printIntLine(data[0]);
46 free(data);
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* The static variables below are used to drive control flow in the source functions. */
55static int goodG2B1Static = 0;
56static int goodG2B2Static = 0;
57
58/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */
59static int * goodG2B1Source(int * data)
60{
61 if(goodG2B1Static)
62 {
63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
64 printLine("Benign, fixed string");
65 }
66 else
67 {
68 /* FIX: Allocate memory using sizeof(int) */
69 data = (int *)malloc(10*sizeof(int));
70 if (data == NULL) {exit(-1);}
71 }
72 return data;
73}
74
75static void goodG2B1()
76{
77 int * data;
78 data = NULL;
79 goodG2B1Static = 0; /* false */
80 data = goodG2B1Source(data);
81 {
82 int source[10] = {0};
83 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
84 memmove(data, source, 10*sizeof(int));
85 printIntLine(data[0]);
86 free(data);
87 }
88}
89
90/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */
91static int * goodG2B2Source(int * data)
92{
93 if(goodG2B2Static)
94 {
95 /* FIX: Allocate memory using sizeof(int) */
96 data = (int *)malloc(10*sizeof(int));
97 if (data == NULL) {exit(-1);}
98 }
99 return data;
100}
101
102static void goodG2B2()
103{
104 int * data;
105 data = NULL;
106 goodG2B2Static = 1; /* true */
107 data = goodG2B2Source(data);
108 {
109 int source[10] = {0};
110 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
111 memmove(data, source, 10*sizeof(int));
112 printIntLine(data[0]);
113 free(data);
114 }
115}
116
117void CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_21_good()
118{
119 goodG2B1();
120 goodG2B2();
121}
122
123#endif /* OMITGOOD */
124
125/* Below is the main(). It is only used when building this testcase on
126 * its own for testing or for building a binary to use in testing binary
127 * analysis tools. It is not used when compiling all the testcases as one
128 * application, which is how source code analysis tools are tested.
129 */
130
131#ifdef INCLUDEMAIN
132
133int main(int argc, char * argv[])
134{
135 /* seed randomness */
136 srand( (unsigned)time(NULL) );
137#ifndef OMITGOOD
138 printLine("Calling good()...");
139 CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_21_good();
140 printLine("Finished good()");
141#endif /* OMITGOOD */
142#ifndef OMITBAD
143 printLine("Calling bad()...");
144 CWE122_Heap_Based_Buffer_Overflow__CWE131_memmove_21_bad();
145 printLine("Finished bad()");
146#endif /* OMITBAD */
147 return 0;
148}
149
150#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 320: CWE127_Buffer_Underread__malloc_wchar_t_memmove_05.c

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_wchar_t_memmove_05.c
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-05.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are not defined as "const", but are never
22 * assigned any other value, so a tool should be able to identify that
23 * reads of these will always return their initialized values.
24 */
25static int staticTrue = 1; /* true */
26static int staticFalse = 0; /* false */
27
28#ifndef OMITBAD
29
30void CWE127_Buffer_Underread__malloc_wchar_t_memmove_05_bad()
31{
32 wchar_t * data;
33 data = NULL;
34 if(staticTrue)
35 {
36 {
37 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
38 if (dataBuffer == NULL) {exit(-1);}
39 wmemset(dataBuffer, L'A', 100-1);
40 dataBuffer[100-1] = L'\0';
41 /* FLAW: Set data pointer to before the allocated memory buffer */
42 data = dataBuffer - 8;
43 }
44 }
45 {
46 wchar_t dest[100];
47 wmemset(dest, L'C', 100-1); /* fill with 'C's */
48 dest[100-1] = L'\0'; /* null terminate */
49 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
50 memmove(dest, data, 100*sizeof(wchar_t));❗VULN
51 /* Ensure null termination */
52 dest[100-1] = L'\0';
53 printWLine(dest);
54 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
55 * returned by malloc() so can't safely call free() on it */
56 }
57}
58
59#endif /* OMITBAD */
60
61#ifndef OMITGOOD
62
63/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */
64static void goodG2B1()
65{
66 wchar_t * data;
67 data = NULL;
68 if(staticFalse)
69 {
70 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
71 printLine("Benign, fixed string");
72 }
73 else
74 {
75 {
76 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
77 if (dataBuffer == NULL) {exit(-1);}
78 wmemset(dataBuffer, L'A', 100-1);
79 dataBuffer[100-1] = L'\0';
80 /* FIX: Set data pointer to the allocated memory buffer */
81 data = dataBuffer;
82 }
83 }
84 {
85 wchar_t dest[100];
86 wmemset(dest, L'C', 100-1); /* fill with 'C's */
87 dest[100-1] = L'\0'; /* null terminate */
88 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
89 memmove(dest, data, 100*sizeof(wchar_t));
90 /* Ensure null termination */
91 dest[100-1] = L'\0';
92 printWLine(dest);
93 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
94 * returned by malloc() so can't safely call free() on it */
95 }
96}
97
98/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
99static void goodG2B2()
100{
101 wchar_t * data;
102 data = NULL;
103 if(staticTrue)
104 {
105 {
106 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
107 if (dataBuffer == NULL) {exit(-1);}
108 wmemset(dataBuffer, L'A', 100-1);
109 dataBuffer[100-1] = L'\0';
110 /* FIX: Set data pointer to the allocated memory buffer */
111 data = dataBuffer;
112 }
113 }
114 {
115 wchar_t dest[100];
116 wmemset(dest, L'C', 100-1); /* fill with 'C's */
117 dest[100-1] = L'\0'; /* null terminate */
118 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
119 memmove(dest, data, 100*sizeof(wchar_t));
120 /* Ensure null termination */
121 dest[100-1] = L'\0';
122 printWLine(dest);
123 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
124 * returned by malloc() so can't safely call free() on it */
125 }
126}
127
128void CWE127_Buffer_Underread__malloc_wchar_t_memmove_05_good()
129{
130 goodG2B1();
131 goodG2B2();
132}
133
134#endif /* OMITGOOD */
135
136/* Below is the main(). It is only used when building this testcase on
137 * its own for testing or for building a binary to use in testing binary
138 * analysis tools. It is not used when compiling all the testcases as one
139 * application, which is how source code analysis tools are tested.
140 */
141
142#ifdef INCLUDEMAIN
143
144int main(int argc, char * argv[])
145{
146 /* seed randomness */
147 srand( (unsigned)time(NULL) );
148#ifndef OMITGOOD
149 printLine("Calling good()...");
150 CWE127_Buffer_Underread__malloc_wchar_t_memmove_05_good();
151 printLine("Finished good()");
152#endif /* OMITGOOD */
153#ifndef OMITBAD
154 printLine("Calling bad()...");
155 CWE127_Buffer_Underread__malloc_wchar_t_memmove_05_bad();
156 printLine("Finished bad()");
157#endif /* OMITBAD */
158 return 0;
159}
160
161#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8555: CWE122_Heap_Based_Buffer_Overflow__cpp_dest_wchar_t_cpy_11.cpp

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_dest_wchar_t_cpy_11.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_dest.label.xml
4Template File: sources-sink-11.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using new[] and set data pointer to a small buffer
10 * GoodSource: Allocate using new[] and set data pointer to a large buffer
11 * Sink: cpy
12 * BadSink : Copy string to data using wcscpy
13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_dest_wchar_t_cpy_11
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 wchar_t * data;
29 data = NULL;
30 if(globalReturnsTrue())
31 {
32 /* FLAW: Allocate using new[] and point data to a small buffer that is smaller than the large buffer used in the sinks */
33 data = new wchar_t[50];
34 data[0] = L'\0'; /* null terminate */
35 }
36 {
37 wchar_t source[100];
38 wmemset(source, L'C', 100-1); /* fill with L'C's */
39 source[100-1] = L'\0'; /* null terminate */
40 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
41 wcscpy(data, source);❗VULN
42 printWLine(data);
43 delete [] data;
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */
52static void goodG2B1()
53{
54 wchar_t * data;
55 data = NULL;
56 if(globalReturnsFalse())
57 {
58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
59 printLine("Benign, fixed string");
60 }
61 else
62 {
63 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
64 data = new wchar_t[100];
65 data[0] = L'\0'; /* null terminate */
66 }
67 {
68 wchar_t source[100];
69 wmemset(source, L'C', 100-1); /* fill with L'C's */
70 source[100-1] = L'\0'; /* null terminate */
71 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
72 wcscpy(data, source);
73 printWLine(data);
74 delete [] data;
75 }
76}
77
78/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
79static void goodG2B2()
80{
81 wchar_t * data;
82 data = NULL;
83 if(globalReturnsTrue())
84 {
85 /* FIX: Allocate using new[] and point data to a large buffer that is at least as large as the large buffer used in the sink */
86 data = new wchar_t[100];
87 data[0] = L'\0'; /* null terminate */
88 }
89 {
90 wchar_t source[100];
91 wmemset(source, L'C', 100-1); /* fill with L'C's */
92 source[100-1] = L'\0'; /* null terminate */
93 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
94 wcscpy(data, source);
95 printWLine(data);
96 delete [] data;
97 }
98}
99
100void good()
101{
102 goodG2B1();
103 goodG2B2();
104}
105
106#endif /* OMITGOOD */
107
108} /* close namespace */
109
110/* Below is the main(). It is only used when building this testcase on
111 its own for testing or for building a binary to use in testing binary
112 analysis tools. It is not used when compiling all the testcases as one
113 application, which is how source code analysis tools are tested. */
114
115#ifdef INCLUDEMAIN
116
117using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_dest_wchar_t_cpy_11; /* so that we can use good and bad easily */
118
119int main(int argc, char * argv[])
120{
121 /* seed randomness */
122 srand( (unsigned)time(NULL) );
123#ifndef OMITGOOD
124 printLine("Calling good()...");
125 good();
126 printLine("Finished good()");
127#endif /* OMITGOOD */
128#ifndef OMITBAD
129 printLine("Calling bad()...");
130 bad();
131 printLine("Finished bad()");
132#endif /* OMITBAD */
133 return 0;
134}
135
136#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8781: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_13.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_13.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-13.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: memcpy
12 * BadSink : Copy twoIntsStruct array to data using memcpy
13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_13_bad()
22{
23 twoIntsStruct * data;
24 twoIntsStruct dataBadBuffer[50];
25 twoIntsStruct dataGoodBuffer[100];
26 if(GLOBAL_CONST_FIVE==5)
27 {
28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
29 * buffer in various memory copying functions using a "large" source buffer. */
30 data = dataBadBuffer;
31 }
32 {
33 twoIntsStruct source[100];
34 {
35 size_t i;
36 /* Initialize array */
37 for (i = 0; i < 100; i++)
38 {
39 source[i].intOne = 0;
40 source[i].intTwo = 0;
41 }
42 }
43 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
44 memcpy(data, source, 100*sizeof(twoIntsStruct));❗VULN
45 printStructLine(&data[0]);
46 }
47}
48
49#endif /* OMITBAD */
50
51#ifndef OMITGOOD
52
53/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */
54static void goodG2B1()
55{
56 twoIntsStruct * data;
57 twoIntsStruct dataBadBuffer[50];
58 twoIntsStruct dataGoodBuffer[100];
59 if(GLOBAL_CONST_FIVE!=5)
60 {
61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
62 printLine("Benign, fixed string");
63 }
64 else
65 {
66 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
67 data = dataGoodBuffer;
68 }
69 {
70 twoIntsStruct source[100];
71 {
72 size_t i;
73 /* Initialize array */
74 for (i = 0; i < 100; i++)
75 {
76 source[i].intOne = 0;
77 source[i].intTwo = 0;
78 }
79 }
80 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
81 memcpy(data, source, 100*sizeof(twoIntsStruct));
82 printStructLine(&data[0]);
83 }
84}
85
86/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
87static void goodG2B2()
88{
89 twoIntsStruct * data;
90 twoIntsStruct dataBadBuffer[50];
91 twoIntsStruct dataGoodBuffer[100];
92 if(GLOBAL_CONST_FIVE==5)
93 {
94 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
95 data = dataGoodBuffer;
96 }
97 {
98 twoIntsStruct source[100];
99 {
100 size_t i;
101 /* Initialize array */
102 for (i = 0; i < 100; i++)
103 {
104 source[i].intOne = 0;
105 source[i].intTwo = 0;
106 }
107 }
108 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
109 memcpy(data, source, 100*sizeof(twoIntsStruct));
110 printStructLine(&data[0]);
111 }
112}
113
114void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_13_good()
115{
116 goodG2B1();
117 goodG2B2();
118}
119
120#endif /* OMITGOOD */
121
122/* Below is the main(). It is only used when building this testcase on
123 * its own for testing or for building a binary to use in testing binary
124 * analysis tools. It is not used when compiling all the testcases as one
125 * application, which is how source code analysis tools are tested.
126 */
127
128#ifdef INCLUDEMAIN
129
130int main(int argc, char * argv[])
131{
132 /* seed randomness */
133 srand( (unsigned)time(NULL) );
134#ifndef OMITGOOD
135 printLine("Calling good()...");
136 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_13_good();
137 printLine("Finished good()");
138#endif /* OMITGOOD */
139#ifndef OMITBAD
140 printLine("Calling bad()...");
141 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_13_bad();
142 printLine("Finished bad()");
143#endif /* OMITBAD */
144 return 0;
145}
146
147#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4654: CWE127_Buffer_Underread__malloc_char_memmove_18.c

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_char_memmove_18.c
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-18.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 18 Control flow: goto statements
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__malloc_char_memmove_18_bad()
24{
25 char * data;
26 data = NULL;
27 goto source;
28source:
29 {
30 char * dataBuffer = (char *)malloc(100*sizeof(char));
31 if (dataBuffer == NULL) {exit(-1);}
32 memset(dataBuffer, 'A', 100-1);
33 dataBuffer[100-1] = '\0';
34 /* FLAW: Set data pointer to before the allocated memory buffer */
35 data = dataBuffer - 8;
36 }
37 {
38 char dest[100];
39 memset(dest, 'C', 100-1); /* fill with 'C's */
40 dest[100-1] = '\0'; /* null terminate */
41 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
42 memmove(dest, data, 100*sizeof(char));❗VULN
43 /* Ensure null termination */
44 dest[100-1] = '\0';
45 printLine(dest);
46 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
47 * returned by malloc() so can't safely call free() on it */
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
56static void goodG2B()
57{
58 char * data;
59 data = NULL;
60 goto source;
61source:
62 {
63 char * dataBuffer = (char *)malloc(100*sizeof(char));
64 if (dataBuffer == NULL) {exit(-1);}
65 memset(dataBuffer, 'A', 100-1);
66 dataBuffer[100-1] = '\0';
67 /* FIX: Set data pointer to the allocated memory buffer */
68 data = dataBuffer;
69 }
70 {
71 char dest[100];
72 memset(dest, 'C', 100-1); /* fill with 'C's */
73 dest[100-1] = '\0'; /* null terminate */
74 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
75 memmove(dest, data, 100*sizeof(char));
76 /* Ensure null termination */
77 dest[100-1] = '\0';
78 printLine(dest);
79 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
80 * returned by malloc() so can't safely call free() on it */
81 }
82}
83
84void CWE127_Buffer_Underread__malloc_char_memmove_18_good()
85{
86 goodG2B();
87}
88
89#endif /* OMITGOOD */
90
91/* Below is the main(). It is only used when building this testcase on
92 * its own for testing or for building a binary to use in testing binary
93 * analysis tools. It is not used when compiling all the testcases as one
94 * application, which is how source code analysis tools are tested.
95 */
96
97#ifdef INCLUDEMAIN
98
99int main(int argc, char * argv[])
100{
101 /* seed randomness */
102 srand( (unsigned)time(NULL) );
103#ifndef OMITGOOD
104 printLine("Calling good()...");
105 CWE127_Buffer_Underread__malloc_char_memmove_18_good();
106 printLine("Finished good()");
107#endif /* OMITGOOD */
108#ifndef OMITBAD
109 printLine("Calling bad()...");
110 CWE127_Buffer_Underread__malloc_char_memmove_18_bad();
111 printLine("Finished bad()");
112#endif /* OMITBAD */
113 return 0;
114}
115
116#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2163: CWE124_Buffer_Underwrite__malloc_char_loop_61a.c

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__malloc_char_loop_61a.c
3Label Definition File: CWE124_Buffer_Underwrite__malloc.label.xml
4Template File: sources-sink-61a.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sinks: loop
12 * BadSink : Copy string to data using a loop
13 * Flow Variant: 61 Data flow: data returned from one function to another in different source files
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23/* bad function declaration */
24char * CWE124_Buffer_Underwrite__malloc_char_loop_61b_badSource(char * data);
25
26void CWE124_Buffer_Underwrite__malloc_char_loop_61_bad()
27{
28 char * data;
29 data = NULL;
30 data = CWE124_Buffer_Underwrite__malloc_char_loop_61b_badSource(data);
31 {
32 size_t i;
33 char source[100];
34 memset(source, 'C', 100-1); /* fill with 'C's */
35 source[100-1] = '\0'; /* null terminate */
36 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
37 for (i = 0; i < 100; i++)
38 {
39 data[i] = source[i];❗VULN
40 }
41 /* Ensure the destination buffer is null terminated */
42 data[100-1] = '\0';
43 printLine(data);
44 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
45 * returned by malloc() so can't safely call free() on it */
46 }
47}
48
49#endif /* OMITBAD */
50
51#ifndef OMITGOOD
52
53/* goodG2B uses the GoodSource with the BadSink */
54char * CWE124_Buffer_Underwrite__malloc_char_loop_61b_goodG2BSource(char * data);
55
56static void goodG2B()
57{
58 char * data;
59 data = NULL;
60 data = CWE124_Buffer_Underwrite__malloc_char_loop_61b_goodG2BSource(data);
61 {
62 size_t i;
63 char source[100];
64 memset(source, 'C', 100-1); /* fill with 'C's */
65 source[100-1] = '\0'; /* null terminate */
66 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
67 for (i = 0; i < 100; i++)
68 {
69 data[i] = source[i];
70 }
71 /* Ensure the destination buffer is null terminated */
72 data[100-1] = '\0';
73 printLine(data);
74 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
75 * returned by malloc() so can't safely call free() on it */
76 }
77}
78
79void CWE124_Buffer_Underwrite__malloc_char_loop_61_good()
80{
81 goodG2B();
82}
83
84#endif /* OMITGOOD */
85
86/* Below is the main(). It is only used when building this testcase on
87 * its own for testing or for building a binary to use in testing binary
88 * analysis tools. It is not used when compiling all the testcases as one
89 * application, which is how source code analysis tools are tested.
90 */
91
92#ifdef INCLUDEMAIN
93
94int main(int argc, char * argv[])
95{
96 /* seed randomness */
97 srand( (unsigned)time(NULL) );
98#ifndef OMITGOOD
99 printLine("Calling good()...");
100 CWE124_Buffer_Underwrite__malloc_char_loop_61_good();
101 printLine("Finished good()");
102#endif /* OMITGOOD */
103#ifndef OMITBAD
104 printLine("Calling bad()...");
105 CWE124_Buffer_Underwrite__malloc_char_loop_61_bad();
106 printLine("Finished bad()");
107#endif /* OMITBAD */
108 return 0;
109}
110
111#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9434: CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cat_05.c

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cat_05.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__src.label.xml
4Template File: sources-sink-05.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: cat
12 * BadSink : Copy data to string using wcscat
13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are not defined as "const", but are never
22 * assigned any other value, so a tool should be able to identify that
23 * reads of these will always return their initialized values.
24 */
25static int staticTrue = 1; /* true */
26static int staticFalse = 0; /* false */
27
28#ifndef OMITBAD
29
30void CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cat_05_bad()
31{
32 wchar_t * data;
33 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
34 data = dataBuffer;
35 if(staticTrue)
36 {
37 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
38 wmemset(data, L'A', 100-1); /* fill with L'A's */
39 data[100-1] = L'\0'; /* null terminate */
40 }
41 {
42 wchar_t dest[50] = L"";
43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-wcslen(dest)*/
44 wcscat(dest, data);❗VULN
45 printWLine(data);
46 }
47}
48
49#endif /* OMITBAD */
50
51#ifndef OMITGOOD
52
53/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */
54static void goodG2B1()
55{
56 wchar_t * data;
57 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
58 data = dataBuffer;
59 if(staticFalse)
60 {
61 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
62 printLine("Benign, fixed string");
63 }
64 else
65 {
66 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
67 wmemset(data, L'A', 50-1); /* fill with L'A's */
68 data[50-1] = L'\0'; /* null terminate */
69 }
70 {
71 wchar_t dest[50] = L"";
72 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-wcslen(dest)*/
73 wcscat(dest, data);
74 printWLine(data);
75 }
76}
77
78/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
79static void goodG2B2()
80{
81 wchar_t * data;
82 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
83 data = dataBuffer;
84 if(staticTrue)
85 {
86 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
87 wmemset(data, L'A', 50-1); /* fill with L'A's */
88 data[50-1] = L'\0'; /* null terminate */
89 }
90 {
91 wchar_t dest[50] = L"";
92 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-wcslen(dest)*/
93 wcscat(dest, data);
94 printWLine(data);
95 }
96}
97
98void CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cat_05_good()
99{
100 goodG2B1();
101 goodG2B2();
102}
103
104#endif /* OMITGOOD */
105
106/* Below is the main(). It is only used when building this testcase on
107 * its own for testing or for building a binary to use in testing binary
108 * analysis tools. It is not used when compiling all the testcases as one
109 * application, which is how source code analysis tools are tested.
110 */
111
112#ifdef INCLUDEMAIN
113
114int main(int argc, char * argv[])
115{
116 /* seed randomness */
117 srand( (unsigned)time(NULL) );
118#ifndef OMITGOOD
119 printLine("Calling good()...");
120 CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cat_05_good();
121 printLine("Finished good()");
122#endif /* OMITGOOD */
123#ifndef OMITBAD
124 printLine("Calling bad()...");
125 CWE121_Stack_Based_Buffer_Overflow__src_wchar_t_alloca_cat_05_bad();
126 printLine("Finished bad()");
127#endif /* OMITBAD */
128 return 0;
129}
130
131#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5454: CWE126_Buffer_Overread__char_declare_loop_10.c

Nodes: 20 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__char_declare_loop_10.c
3Label Definition File: CWE126_Buffer_Overread.stack.label.xml
4Template File: sources-sink-10.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Set data pointer to a small buffer
10 * GoodSource: Set data pointer to a large buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 10 Control flow: if(globalTrue) and if(globalFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE126_Buffer_Overread__char_declare_loop_10_bad()
24{
25 char * data;
26 char dataBadBuffer[50];
27 char dataGoodBuffer[100];
28 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */
29 dataBadBuffer[50-1] = '\0'; /* null terminate */
30 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */
31 dataGoodBuffer[100-1] = '\0'; /* null terminate */
32 if(globalTrue)
33 {
34 /* FLAW: Set data pointer to a small buffer */
35 data = dataBadBuffer;
36 }
37 {
38 size_t i, destLen;
39 char dest[100];
40 memset(dest, 'C', 100-1);
41 dest[100-1] = '\0'; /* null terminate */
42 destLen = strlen(dest);
43 /* POTENTIAL FLAW: using length of the dest where data
44 * could be smaller than dest causing buffer overread */
45 for (i = 0; i < destLen; i++)
46 {
47 dest[i] = data[i];❗VULN
48 }
49 dest[100-1] = '\0';
50 printLine(dest);
51 }
52}
53
54#endif /* OMITBAD */
55
56#ifndef OMITGOOD
57
58/* goodG2B1() - use goodsource and badsink by changing the globalTrue to globalFalse */
59static void goodG2B1()
60{
61 char * data;
62 char dataBadBuffer[50];
63 char dataGoodBuffer[100];
64 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */
65 dataBadBuffer[50-1] = '\0'; /* null terminate */
66 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */
67 dataGoodBuffer[100-1] = '\0'; /* null terminate */
68 if(globalFalse)
69 {
70 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
71 printLine("Benign, fixed string");
72 }
73 else
74 {
75 /* FIX: Set data pointer to a large buffer */
76 data = dataGoodBuffer;
77 }
78 {
79 size_t i, destLen;
80 char dest[100];
81 memset(dest, 'C', 100-1);
82 dest[100-1] = '\0'; /* null terminate */
83 destLen = strlen(dest);
84 /* POTENTIAL FLAW: using length of the dest where data
85 * could be smaller than dest causing buffer overread */
86 for (i = 0; i < destLen; i++)
87 {
88 dest[i] = data[i];
89 }
90 dest[100-1] = '\0';
91 printLine(dest);
92 }
93}
94
95/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
96static void goodG2B2()
97{
98 char * data;
99 char dataBadBuffer[50];
100 char dataGoodBuffer[100];
101 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */
102 dataBadBuffer[50-1] = '\0'; /* null terminate */
103 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */
104 dataGoodBuffer[100-1] = '\0'; /* null terminate */
105 if(globalTrue)
106 {
107 /* FIX: Set data pointer to a large buffer */
108 data = dataGoodBuffer;
109 }
110 {
111 size_t i, destLen;
112 char dest[100];
113 memset(dest, 'C', 100-1);
114 dest[100-1] = '\0'; /* null terminate */
115 destLen = strlen(dest);
116 /* POTENTIAL FLAW: using length of the dest where data
117 * could be smaller than dest causing buffer overread */
118 for (i = 0; i < destLen; i++)
119 {
120 dest[i] = data[i];
121 }
122 dest[100-1] = '\0';
123 printLine(dest);
124 }
125}
126
127void CWE126_Buffer_Overread__char_declare_loop_10_good()
128{
129 goodG2B1();
130 goodG2B2();
131}
132
133#endif /* OMITGOOD */
134
135/* Below is the main(). It is only used when building this testcase on
136 * its own for testing or for building a binary to use in testing binary
137 * analysis tools. It is not used when compiling all the testcases as one
138 * application, which is how source code analysis tools are tested.
139 */
140
141#ifdef INCLUDEMAIN
142
143int main(int argc, char * argv[])
144{
145 /* seed randomness */
146 srand( (unsigned)time(NULL) );
147#ifndef OMITGOOD
148 printLine("Calling good()...");
149 CWE126_Buffer_Overread__char_declare_loop_10_good();
150 printLine("Finished good()");
151#endif /* OMITGOOD */
152#ifndef OMITBAD
153 printLine("Calling bad()...");
154 CWE126_Buffer_Overread__char_declare_loop_10_bad();
155 printLine("Finished bad()");
156#endif /* OMITBAD */
157 return 0;
158}
159
160#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7090: CWE126_Buffer_Overread__char_declare_loop_16.c

Nodes: 21 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__char_declare_loop_16.c
3Label Definition File: CWE126_Buffer_Overread.stack.label.xml
4Template File: sources-sink-16.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Set data pointer to a small buffer
10 * GoodSource: Set data pointer to a large buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 16 Control flow: while(1)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE126_Buffer_Overread__char_declare_loop_16_bad()
24{
25 char * data;
26 char dataBadBuffer[50];
27 char dataGoodBuffer[100];
28 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */
29 dataBadBuffer[50-1] = '\0'; /* null terminate */
30 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */
31 dataGoodBuffer[100-1] = '\0'; /* null terminate */
32 while(1)
33 {
34 /* FLAW: Set data pointer to a small buffer */
35 data = dataBadBuffer;
36 break;
37 }
38 {
39 size_t i, destLen;
40 char dest[100];
41 memset(dest, 'C', 100-1);
42 dest[100-1] = '\0'; /* null terminate */
43 destLen = strlen(dest);
44 /* POTENTIAL FLAW: using length of the dest where data
45 * could be smaller than dest causing buffer overread */
46 for (i = 0; i < destLen; i++)
47 {
48 dest[i] = data[i];❗VULN
49 }
50 dest[100-1] = '\0';
51 printLine(dest);
52 }
53}
54
55#endif /* OMITBAD */
56
57#ifndef OMITGOOD
58
59/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */
60static void goodG2B()
61{
62 char * data;
63 char dataBadBuffer[50];
64 char dataGoodBuffer[100];
65 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */
66 dataBadBuffer[50-1] = '\0'; /* null terminate */
67 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */
68 dataGoodBuffer[100-1] = '\0'; /* null terminate */
69 while(1)
70 {
71 /* FIX: Set data pointer to a large buffer */
72 data = dataGoodBuffer;
73 break;
74 }
75 {
76 size_t i, destLen;
77 char dest[100];
78 memset(dest, 'C', 100-1);
79 dest[100-1] = '\0'; /* null terminate */
80 destLen = strlen(dest);
81 /* POTENTIAL FLAW: using length of the dest where data
82 * could be smaller than dest causing buffer overread */
83 for (i = 0; i < destLen; i++)
84 {
85 dest[i] = data[i];
86 }
87 dest[100-1] = '\0';
88 printLine(dest);
89 }
90}
91
92void CWE126_Buffer_Overread__char_declare_loop_16_good()
93{
94 goodG2B();
95}
96
97#endif /* OMITGOOD */
98
99/* Below is the main(). It is only used when building this testcase on
100 * its own for testing or for building a binary to use in testing binary
101 * analysis tools. It is not used when compiling all the testcases as one
102 * application, which is how source code analysis tools are tested.
103 */
104
105#ifdef INCLUDEMAIN
106
107int main(int argc, char * argv[])
108{
109 /* seed randomness */
110 srand( (unsigned)time(NULL) );
111#ifndef OMITGOOD
112 printLine("Calling good()...");
113 CWE126_Buffer_Overread__char_declare_loop_16_good();
114 printLine("Finished good()");
115#endif /* OMITGOOD */
116#ifndef OMITBAD
117 printLine("Calling bad()...");
118 CWE126_Buffer_Overread__char_declare_loop_16_bad();
119 printLine("Finished bad()");
120#endif /* OMITBAD */
121 return 0;
122}
123
124#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9641: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22a.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22a.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml
4Template File: sources-sink-22a.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: swprintf
12 * BadSink : Copy data to string using swprintf
13 * Flow Variant: 22 Control flow: Flow controlled by value of a global variable. Sink functions are in a separate file from sources.
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifdef _WIN32
22#define SNPRINTF _snwprintf
23#else
24#define SNPRINTF swprintf
25#endif
26
27#ifndef OMITBAD
28
29/* The global variable below is used to drive control flow in the source function */
30int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_badGlobal = 0;
31
32wchar_t * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_badSource(wchar_t * data);
33
34void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_bad()
35{
36 wchar_t * data;
37 data = (wchar_t *)malloc(100*sizeof(wchar_t));
38 if (data == NULL) {exit(-1);}
39 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_badGlobal = 1; /* true */
40 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_badSource(data);
41 {
42 wchar_t dest[50] = L"";
43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
44 SNPRINTF(dest, wcslen(data), L"%s", data);❗VULN
45 printWLine(data);
46 free(data);
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* The global variables below are used to drive control flow in the source functions. */
55int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_goodG2B1Global = 0;
56int CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_goodG2B2Global = 0;
57
58/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */
59wchar_t * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_goodG2B1Source(wchar_t * data);
60
61static void goodG2B1()
62{
63 wchar_t * data;
64 data = (wchar_t *)malloc(100*sizeof(wchar_t));
65 if (data == NULL) {exit(-1);}
66 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_goodG2B1Global = 0; /* false */
67 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_goodG2B1Source(data);
68 {
69 wchar_t dest[50] = L"";
70 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
71 SNPRINTF(dest, wcslen(data), L"%s", data);
72 printWLine(data);
73 free(data);
74 }
75}
76
77/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */
78wchar_t * CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_goodG2B2Source(wchar_t * data);
79
80static void goodG2B2()
81{
82 wchar_t * data;
83 data = (wchar_t *)malloc(100*sizeof(wchar_t));
84 if (data == NULL) {exit(-1);}
85 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_goodG2B2Global = 1; /* true */
86 data = CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_goodG2B2Source(data);
87 {
88 wchar_t dest[50] = L"";
89 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
90 SNPRINTF(dest, wcslen(data), L"%s", data);
91 printWLine(data);
92 free(data);
93 }
94}
95
96void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_good()
97{
98 goodG2B1();
99 goodG2B2();
100}
101
102#endif /* OMITGOOD */
103
104/* Below is the main(). It is only used when building this testcase on
105 * its own for testing or for building a binary to use in testing binary
106 * analysis tools. It is not used when compiling all the testcases as one
107 * application, which is how source code analysis tools are tested.
108 */
109
110#ifdef INCLUDEMAIN
111
112int main(int argc, char * argv[])
113{
114 /* seed randomness */
115 srand( (unsigned)time(NULL) );
116#ifndef OMITGOOD
117 printLine("Calling good()...");
118 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_good();
119 printLine("Finished good()");
120#endif /* OMITGOOD */
121#ifndef OMITBAD
122 printLine("Calling bad()...");
123 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_snprintf_22_bad();
124 printLine("Finished bad()");
125#endif /* OMITBAD */
126 return 0;
127}
128
129#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 929: CWE124_Buffer_Underwrite__char_alloca_memcpy_04.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__char_alloca_memcpy_04.c
3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml
4Template File: sources-sink-04.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memcpy
12 * BadSink : Copy string to data using memcpy
13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are declared "const", so a tool should
22 * be able to identify that reads of these will always return their
23 * initialized values.
24 */
25static const int STATIC_CONST_TRUE = 1; /* true */
26static const int STATIC_CONST_FALSE = 0; /* false */
27
28#ifndef OMITBAD
29
30void CWE124_Buffer_Underwrite__char_alloca_memcpy_04_bad()
31{
32 char * data;
33 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
34 memset(dataBuffer, 'A', 100-1);
35 dataBuffer[100-1] = '\0';
36 if(STATIC_CONST_TRUE)
37 {
38 /* FLAW: Set data pointer to before the allocated memory buffer */
39 data = dataBuffer - 8;
40 }
41 {
42 char source[100];
43 memset(source, 'C', 100-1); /* fill with 'C's */
44 source[100-1] = '\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
46 memcpy(data, source, 100*sizeof(char));❗VULN
47 /* Ensure the destination buffer is null terminated */
48 data[100-1] = '\0';
49 printLine(data);
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */
58static void goodG2B1()
59{
60 char * data;
61 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
62 memset(dataBuffer, 'A', 100-1);
63 dataBuffer[100-1] = '\0';
64 if(STATIC_CONST_FALSE)
65 {
66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
67 printLine("Benign, fixed string");
68 }
69 else
70 {
71 /* FIX: Set data pointer to the allocated memory buffer */
72 data = dataBuffer;
73 }
74 {
75 char source[100];
76 memset(source, 'C', 100-1); /* fill with 'C's */
77 source[100-1] = '\0'; /* null terminate */
78 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
79 memcpy(data, source, 100*sizeof(char));
80 /* Ensure the destination buffer is null terminated */
81 data[100-1] = '\0';
82 printLine(data);
83 }
84}
85
86/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
87static void goodG2B2()
88{
89 char * data;
90 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
91 memset(dataBuffer, 'A', 100-1);
92 dataBuffer[100-1] = '\0';
93 if(STATIC_CONST_TRUE)
94 {
95 /* FIX: Set data pointer to the allocated memory buffer */
96 data = dataBuffer;
97 }
98 {
99 char source[100];
100 memset(source, 'C', 100-1); /* fill with 'C's */
101 source[100-1] = '\0'; /* null terminate */
102 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
103 memcpy(data, source, 100*sizeof(char));
104 /* Ensure the destination buffer is null terminated */
105 data[100-1] = '\0';
106 printLine(data);
107 }
108}
109
110void CWE124_Buffer_Underwrite__char_alloca_memcpy_04_good()
111{
112 goodG2B1();
113 goodG2B2();
114}
115
116#endif /* OMITGOOD */
117
118/* Below is the main(). It is only used when building this testcase on
119 * its own for testing or for building a binary to use in testing binary
120 * analysis tools. It is not used when compiling all the testcases as one
121 * application, which is how source code analysis tools are tested.
122 */
123
124#ifdef INCLUDEMAIN
125
126int main(int argc, char * argv[])
127{
128 /* seed randomness */
129 srand( (unsigned)time(NULL) );
130#ifndef OMITGOOD
131 printLine("Calling good()...");
132 CWE124_Buffer_Underwrite__char_alloca_memcpy_04_good();
133 printLine("Finished good()");
134#endif /* OMITGOOD */
135#ifndef OMITBAD
136 printLine("Calling bad()...");
137 CWE124_Buffer_Underwrite__char_alloca_memcpy_04_bad();
138 printLine("Finished bad()");
139#endif /* OMITBAD */
140 return 0;
141}
142
143#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 792: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_loop_02.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_loop_02.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-02.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: loop
12 * BadSink : Copy int array to data using a loop
13 * Flow Variant: 02 Control flow: if(1) and if(0)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_loop_02_bad()
22{
23 int * data;
24 int dataBadBuffer[50];
25 int dataGoodBuffer[100];
26 if(1)
27 {
28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
29 * buffer in various memory copying functions using a "large" source buffer. */
30 data = dataBadBuffer;
31 }
32 {
33 int source[100] = {0}; /* fill with 0's */
34 {
35 size_t i;
36 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
37 for (i = 0; i < 100; i++)
38 {
39 data[i] = source[i];❗VULN
40 }
41 printIntLine(data[0]);
42 }
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */
51static void goodG2B1()
52{
53 int * data;
54 int dataBadBuffer[50];
55 int dataGoodBuffer[100];
56 if(0)
57 {
58 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
59 printLine("Benign, fixed string");
60 }
61 else
62 {
63 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
64 data = dataGoodBuffer;
65 }
66 {
67 int source[100] = {0}; /* fill with 0's */
68 {
69 size_t i;
70 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
71 for (i = 0; i < 100; i++)
72 {
73 data[i] = source[i];
74 }
75 printIntLine(data[0]);
76 }
77 }
78}
79
80/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
81static void goodG2B2()
82{
83 int * data;
84 int dataBadBuffer[50];
85 int dataGoodBuffer[100];
86 if(1)
87 {
88 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
89 data = dataGoodBuffer;
90 }
91 {
92 int source[100] = {0}; /* fill with 0's */
93 {
94 size_t i;
95 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
96 for (i = 0; i < 100; i++)
97 {
98 data[i] = source[i];
99 }
100 printIntLine(data[0]);
101 }
102 }
103}
104
105void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_loop_02_good()
106{
107 goodG2B1();
108 goodG2B2();
109}
110
111#endif /* OMITGOOD */
112
113/* Below is the main(). It is only used when building this testcase on
114 * its own for testing or for building a binary to use in testing binary
115 * analysis tools. It is not used when compiling all the testcases as one
116 * application, which is how source code analysis tools are tested.
117 */
118
119#ifdef INCLUDEMAIN
120
121int main(int argc, char * argv[])
122{
123 /* seed randomness */
124 srand( (unsigned)time(NULL) );
125#ifndef OMITGOOD
126 printLine("Calling good()...");
127 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_loop_02_good();
128 printLine("Finished good()");
129#endif /* OMITGOOD */
130#ifndef OMITBAD
131 printLine("Calling bad()...");
132 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_declare_loop_02_bad();
133 printLine("Finished bad()");
134#endif /* OMITBAD */
135 return 0;
136}
137
138#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7686: CWE126_Buffer_Overread__wchar_t_declare_memcpy_13.c

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__wchar_t_declare_memcpy_13.c
3Label Definition File: CWE126_Buffer_Overread.stack.label.xml
4Template File: sources-sink-13.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Set data pointer to a small buffer
10 * GoodSource: Set data pointer to a large buffer
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 13 Control flow: if(GLOBAL_CONST_FIVE==5) and if(GLOBAL_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE126_Buffer_Overread__wchar_t_declare_memcpy_13_bad()
24{
25 wchar_t * data;
26 wchar_t dataBadBuffer[50];
27 wchar_t dataGoodBuffer[100];
28 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */
29 dataBadBuffer[50-1] = L'\0'; /* null terminate */
30 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */
31 dataGoodBuffer[100-1] = L'\0'; /* null terminate */
32 if(GLOBAL_CONST_FIVE==5)
33 {
34 /* FLAW: Set data pointer to a small buffer */
35 data = dataBadBuffer;
36 }
37 {
38 wchar_t dest[100];
39 wmemset(dest, L'C', 100-1);
40 dest[100-1] = L'\0'; /* null terminate */
41 /* POTENTIAL FLAW: using memcpy with the length of the dest where data
42 * could be smaller than dest causing buffer overread */
43 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));❗VULN
44 dest[100-1] = L'\0';
45 printWLine(dest);
46 }
47}
48
49#endif /* OMITBAD */
50
51#ifndef OMITGOOD
52
53/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_FIVE==5 to GLOBAL_CONST_FIVE!=5 */
54static void goodG2B1()
55{
56 wchar_t * data;
57 wchar_t dataBadBuffer[50];
58 wchar_t dataGoodBuffer[100];
59 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */
60 dataBadBuffer[50-1] = L'\0'; /* null terminate */
61 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */
62 dataGoodBuffer[100-1] = L'\0'; /* null terminate */
63 if(GLOBAL_CONST_FIVE!=5)
64 {
65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
66 printLine("Benign, fixed string");
67 }
68 else
69 {
70 /* FIX: Set data pointer to a large buffer */
71 data = dataGoodBuffer;
72 }
73 {
74 wchar_t dest[100];
75 wmemset(dest, L'C', 100-1);
76 dest[100-1] = L'\0'; /* null terminate */
77 /* POTENTIAL FLAW: using memcpy with the length of the dest where data
78 * could be smaller than dest causing buffer overread */
79 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));
80 dest[100-1] = L'\0';
81 printWLine(dest);
82 }
83}
84
85/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
86static void goodG2B2()
87{
88 wchar_t * data;
89 wchar_t dataBadBuffer[50];
90 wchar_t dataGoodBuffer[100];
91 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */
92 dataBadBuffer[50-1] = L'\0'; /* null terminate */
93 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */
94 dataGoodBuffer[100-1] = L'\0'; /* null terminate */
95 if(GLOBAL_CONST_FIVE==5)
96 {
97 /* FIX: Set data pointer to a large buffer */
98 data = dataGoodBuffer;
99 }
100 {
101 wchar_t dest[100];
102 wmemset(dest, L'C', 100-1);
103 dest[100-1] = L'\0'; /* null terminate */
104 /* POTENTIAL FLAW: using memcpy with the length of the dest where data
105 * could be smaller than dest causing buffer overread */
106 memcpy(dest, data, wcslen(dest)*sizeof(wchar_t));
107 dest[100-1] = L'\0';
108 printWLine(dest);
109 }
110}
111
112void CWE126_Buffer_Overread__wchar_t_declare_memcpy_13_good()
113{
114 goodG2B1();
115 goodG2B2();
116}
117
118#endif /* OMITGOOD */
119
120/* Below is the main(). It is only used when building this testcase on
121 * its own for testing or for building a binary to use in testing binary
122 * analysis tools. It is not used when compiling all the testcases as one
123 * application, which is how source code analysis tools are tested.
124 */
125
126#ifdef INCLUDEMAIN
127
128int main(int argc, char * argv[])
129{
130 /* seed randomness */
131 srand( (unsigned)time(NULL) );
132#ifndef OMITGOOD
133 printLine("Calling good()...");
134 CWE126_Buffer_Overread__wchar_t_declare_memcpy_13_good();
135 printLine("Finished good()");
136#endif /* OMITGOOD */
137#ifndef OMITBAD
138 printLine("Calling bad()...");
139 CWE126_Buffer_Overread__wchar_t_declare_memcpy_13_bad();
140 printLine("Finished bad()");
141#endif /* OMITBAD */
142 return 0;
143}
144
145#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3483: CWE124_Buffer_Underwrite__char_alloca_memcpy_07.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__char_alloca_memcpy_07.c
3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml
4Template File: sources-sink-07.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memcpy
12 * BadSink : Copy string to data using memcpy
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is not declared "const", but is never assigned
22 * any other value so a tool should be able to identify that reads of
23 * this will always give its initialized value.
24 */
25static int staticFive = 5;
26
27#ifndef OMITBAD
28
29void CWE124_Buffer_Underwrite__char_alloca_memcpy_07_bad()
30{
31 char * data;
32 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
33 memset(dataBuffer, 'A', 100-1);
34 dataBuffer[100-1] = '\0';
35 if(staticFive==5)
36 {
37 /* FLAW: Set data pointer to before the allocated memory buffer */
38 data = dataBuffer - 8;
39 }
40 {
41 char source[100];
42 memset(source, 'C', 100-1); /* fill with 'C's */
43 source[100-1] = '\0'; /* null terminate */
44 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
45 memcpy(data, source, 100*sizeof(char));❗VULN
46 /* Ensure the destination buffer is null terminated */
47 data[100-1] = '\0';
48 printLine(data);
49 }
50}
51
52#endif /* OMITBAD */
53
54#ifndef OMITGOOD
55
56/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
57static void goodG2B1()
58{
59 char * data;
60 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
61 memset(dataBuffer, 'A', 100-1);
62 dataBuffer[100-1] = '\0';
63 if(staticFive!=5)
64 {
65 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
66 printLine("Benign, fixed string");
67 }
68 else
69 {
70 /* FIX: Set data pointer to the allocated memory buffer */
71 data = dataBuffer;
72 }
73 {
74 char source[100];
75 memset(source, 'C', 100-1); /* fill with 'C's */
76 source[100-1] = '\0'; /* null terminate */
77 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
78 memcpy(data, source, 100*sizeof(char));
79 /* Ensure the destination buffer is null terminated */
80 data[100-1] = '\0';
81 printLine(data);
82 }
83}
84
85/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
86static void goodG2B2()
87{
88 char * data;
89 char * dataBuffer = (char *)ALLOCA(100*sizeof(char));
90 memset(dataBuffer, 'A', 100-1);
91 dataBuffer[100-1] = '\0';
92 if(staticFive==5)
93 {
94 /* FIX: Set data pointer to the allocated memory buffer */
95 data = dataBuffer;
96 }
97 {
98 char source[100];
99 memset(source, 'C', 100-1); /* fill with 'C's */
100 source[100-1] = '\0'; /* null terminate */
101 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
102 memcpy(data, source, 100*sizeof(char));
103 /* Ensure the destination buffer is null terminated */
104 data[100-1] = '\0';
105 printLine(data);
106 }
107}
108
109void CWE124_Buffer_Underwrite__char_alloca_memcpy_07_good()
110{
111 goodG2B1();
112 goodG2B2();
113}
114
115#endif /* OMITGOOD */
116
117/* Below is the main(). It is only used when building this testcase on
118 * its own for testing or for building a binary to use in testing binary
119 * analysis tools. It is not used when compiling all the testcases as one
120 * application, which is how source code analysis tools are tested.
121 */
122
123#ifdef INCLUDEMAIN
124
125int main(int argc, char * argv[])
126{
127 /* seed randomness */
128 srand( (unsigned)time(NULL) );
129#ifndef OMITGOOD
130 printLine("Calling good()...");
131 CWE124_Buffer_Underwrite__char_alloca_memcpy_07_good();
132 printLine("Finished good()");
133#endif /* OMITGOOD */
134#ifndef OMITBAD
135 printLine("Calling bad()...");
136 CWE124_Buffer_Underwrite__char_alloca_memcpy_07_bad();
137 printLine("Finished bad()");
138#endif /* OMITBAD */
139 return 0;
140}
141
142#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7782: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_snprintf_31.c

Nodes: 10 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_snprintf_31.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml
4Template File: sources-sink-31.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sinks: swprintf
12 * BadSink : Copy data to string using swprintf
13 * Flow Variant: 31 Data flow using a copy of data within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifdef _WIN32
22#define SNPRINTF _snwprintf
23#else
24#define SNPRINTF swprintf
25#endif
26
27#ifndef OMITBAD
28
29void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_snprintf_31_bad()
30{
31 wchar_t * data;
32 wchar_t dataBuffer[100];
33 data = dataBuffer;
34 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
35 wmemset(data, L'A', 100-1); /* fill with L'A's */
36 data[100-1] = L'\0'; /* null terminate */
37 {
38 wchar_t * dataCopy = data;
39 wchar_t * data = dataCopy;
40 {
41 wchar_t dest[50] = L"";
42 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
43 SNPRINTF(dest, wcslen(data), L"%s", data);❗VULN
44 printWLine(data);
45 }
46 }
47}
48
49#endif /* OMITBAD */
50
51#ifndef OMITGOOD
52
53/* goodG2B() uses the GoodSource with the BadSink */
54static void goodG2B()
55{
56 wchar_t * data;
57 wchar_t dataBuffer[100];
58 data = dataBuffer;
59 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
60 wmemset(data, L'A', 50-1); /* fill with L'A's */
61 data[50-1] = L'\0'; /* null terminate */
62 {
63 wchar_t * dataCopy = data;
64 wchar_t * data = dataCopy;
65 {
66 wchar_t dest[50] = L"";
67 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
68 SNPRINTF(dest, wcslen(data), L"%s", data);
69 printWLine(data);
70 }
71 }
72}
73
74void CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_snprintf_31_good()
75{
76 goodG2B();
77}
78
79#endif /* OMITGOOD */
80
81/* Below is the main(). It is only used when building this testcase on
82 * its own for testing or for building a binary to use in testing binary
83 * analysis tools. It is not used when compiling all the testcases as one
84 * application, which is how source code analysis tools are tested.
85 */
86#ifdef INCLUDEMAIN
87
88int main(int argc, char * argv[])
89{
90 /* seed randomness */
91 srand( (unsigned)time(NULL) );
92#ifndef OMITGOOD
93 printLine("Calling good()...");
94 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_snprintf_31_good();
95 printLine("Finished good()");
96#endif /* OMITGOOD */
97#ifndef OMITBAD
98 printLine("Calling bad()...");
99 CWE121_Stack_Based_Buffer_Overflow__CWE806_wchar_t_declare_snprintf_31_bad();
100 printLine("Finished bad()");
101#endif /* OMITBAD */
102 return 0;
103}
104
105#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 70: CWE121_Stack_Based_Buffer_Overflow__CWE135_17.c

Nodes: 14 | Sink Nodes: 2 predicted, 2 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE135_17.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE135.label.xml
4Template File: sources-sinks-17.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Void pointer to a wchar_t array
10 * GoodSource: Void pointer to a char array
11 * Sinks:
12 * GoodSink: Allocate memory using wcslen() and copy data
13 * BadSink : Allocate memory using strlen() and copy data
14 * Flow Variant: 17 Control flow: for loops
15 *
16 * */
17
18#include "std_testcase.h"
19
20#include <wchar.h>
21
22#define WIDE_STRING L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
23#define CHAR_STRING "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
24
25#ifndef OMITBAD
26
27void CWE121_Stack_Based_Buffer_Overflow__CWE135_17_bad()
28{
29 int i,j;
30 void * data;
31 data = NULL;
32 for(i = 0; i < 1; i++)
33 {
34 /* POTENTIAL FLAW: Set data to point to a wide string */
35 data = (void *)WIDE_STRING;
36 }
37 for(j = 0; j < 1; j++)
38 {
39 {
40 /* POTENTIAL FLAW: treating pointer as a char* when it may point to a wide string */
41 size_t dataLen = strlen((char *)data);❗VULN
42 void * dest = (void *)ALLOCA((dataLen+1) * sizeof(wchar_t));
43 (void)wcscpy(dest, data);❗VULN
44 printLine((char *)dest);
45 }
46 }
47}
48
49#endif /* OMITBAD */
50
51#ifndef OMITGOOD
52
53/* goodB2G() - use badsource and goodsink in the for statements */
54static void goodB2G()
55{
56 int i,k;
57 void * data;
58 data = NULL;
59 for(i = 0; i < 1; i++)
60 {
61 /* POTENTIAL FLAW: Set data to point to a wide string */
62 data = (void *)WIDE_STRING;
63 }
64 for(k = 0; k < 1; k++)
65 {
66 {
67 /* FIX: treating pointer like a wchar_t* */
68 size_t dataLen = wcslen((wchar_t *)data);
69 void * dest = (void *)ALLOCA((dataLen+1) * sizeof(wchar_t));
70 (void)wcscpy(dest, data);
71 printWLine((wchar_t *)dest);
72 }
73 }
74}
75
76/* goodG2B() - use goodsource and badsink in the for statements */
77static void goodG2B()
78{
79 int h,j;
80 void * data;
81 data = NULL;
82 for(h = 0; h < 1; h++)
83 {
84 /* FIX: Set data to point to a char string */
85 data = (void *)CHAR_STRING;
86 }
87 for(j = 0; j < 1; j++)
88 {
89 {
90 /* POTENTIAL FLAW: treating pointer as a char* when it may point to a wide string */
91 size_t dataLen = strlen((char *)data);
92 void * dest = (void *)ALLOCA((dataLen+1) * 1);
93 (void)strcpy(dest, data);
94 printLine((char *)dest);
95 }
96 }
97}
98
99void CWE121_Stack_Based_Buffer_Overflow__CWE135_17_good()
100{
101 goodB2G();
102 goodG2B();
103}
104
105#endif /* OMITGOOD */
106
107/* Below is the main(). It is only used when building this testcase on
108 its own for testing or for building a binary to use in testing binary
109 analysis tools. It is not used when compiling all the testcases as one
110 application, which is how source code analysis tools are tested. */
111
112#ifdef INCLUDEMAIN
113
114int main(int argc, char * argv[])
115{
116 /* seed randomness */
117 srand( (unsigned)time(NULL) );
118#ifndef OMITGOOD
119 printLine("Calling good()...");
120 CWE121_Stack_Based_Buffer_Overflow__CWE135_17_good();
121 printLine("Finished good()");
122#endif /* OMITGOOD */
123#ifndef OMITBAD
124 printLine("Calling bad()...");
125 CWE121_Stack_Based_Buffer_Overflow__CWE135_17_bad();
126 printLine("Finished bad()");
127#endif /* OMITBAD */
128 return 0;
129}
130
131#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4951: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncpy_05.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncpy_05.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml
4Template File: sources-sink-05.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: ncpy
12 * BadSink : Copy data to string using strncpy
13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are not defined as "const", but are never
22 * assigned any other value, so a tool should be able to identify that
23 * reads of these will always return their initialized values.
24 */
25static int staticTrue = 1; /* true */
26static int staticFalse = 0; /* false */
27
28#ifndef OMITBAD
29
30void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncpy_05_bad()
31{
32 char * data;
33 data = (char *)malloc(100*sizeof(char));
34 if (data == NULL) {exit(-1);}
35 if(staticTrue)
36 {
37 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
38 memset(data, 'A', 100-1); /* fill with 'A's */
39 data[100-1] = '\0'; /* null terminate */
40 }
41 {
42 char dest[50] = "";
43 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
44 strncpy(dest, data, strlen(data));❗VULN
45 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
46 printLine(data);
47 free(data);
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */
56static void goodG2B1()
57{
58 char * data;
59 data = (char *)malloc(100*sizeof(char));
60 if (data == NULL) {exit(-1);}
61 if(staticFalse)
62 {
63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
64 printLine("Benign, fixed string");
65 }
66 else
67 {
68 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
69 memset(data, 'A', 50-1); /* fill with 'A's */
70 data[50-1] = '\0'; /* null terminate */
71 }
72 {
73 char dest[50] = "";
74 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
75 strncpy(dest, data, strlen(data));
76 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
77 printLine(data);
78 free(data);
79 }
80}
81
82/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
83static void goodG2B2()
84{
85 char * data;
86 data = (char *)malloc(100*sizeof(char));
87 if (data == NULL) {exit(-1);}
88 if(staticTrue)
89 {
90 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
91 memset(data, 'A', 50-1); /* fill with 'A's */
92 data[50-1] = '\0'; /* null terminate */
93 }
94 {
95 char dest[50] = "";
96 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
97 strncpy(dest, data, strlen(data));
98 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
99 printLine(data);
100 free(data);
101 }
102}
103
104void CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncpy_05_good()
105{
106 goodG2B1();
107 goodG2B2();
108}
109
110#endif /* OMITGOOD */
111
112/* Below is the main(). It is only used when building this testcase on
113 * its own for testing or for building a binary to use in testing binary
114 * analysis tools. It is not used when compiling all the testcases as one
115 * application, which is how source code analysis tools are tested.
116 */
117
118#ifdef INCLUDEMAIN
119
120int main(int argc, char * argv[])
121{
122 /* seed randomness */
123 srand( (unsigned)time(NULL) );
124#ifndef OMITGOOD
125 printLine("Calling good()...");
126 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncpy_05_good();
127 printLine("Finished good()");
128#endif /* OMITGOOD */
129#ifndef OMITBAD
130 printLine("Calling bad()...");
131 CWE122_Heap_Based_Buffer_Overflow__c_CWE806_char_ncpy_05_bad();
132 printLine("Finished bad()");
133#endif /* OMITBAD */
134 return 0;
135}
136
137#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2010: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memmove_33.cpp

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memmove_33.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE806.label.xml
4Template File: sources-sink-33.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sinks: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 33 Data flow: use of a C++ reference to data within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memmove_33
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 wchar_t * data;
29 wchar_t * &dataRef = data;
30 data = (wchar_t *)malloc(100*sizeof(wchar_t));
31 if (data == NULL) {exit(-1);}
32 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
33 wmemset(data, L'A', 100-1); /* fill with L'A's */
34 data[100-1] = L'\0'; /* null terminate */
35 {
36 wchar_t * data = dataRef;
37 {
38 wchar_t dest[50] = L"";
39 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
40 memmove(dest, data, wcslen(data)*sizeof(wchar_t));❗VULN
41 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
42 printWLine(data);
43 free(data);
44 }
45 }
46}
47
48#endif /* OMITBAD */
49
50#ifndef OMITGOOD
51
52/* goodG2B() uses the GoodSource with the BadSink */
53static void goodG2B()
54{
55 wchar_t * data;
56 wchar_t * &dataRef = data;
57 data = (wchar_t *)malloc(100*sizeof(wchar_t));
58 if (data == NULL) {exit(-1);}
59 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
60 wmemset(data, L'A', 50-1); /* fill with L'A's */
61 data[50-1] = L'\0'; /* null terminate */
62 {
63 wchar_t * data = dataRef;
64 {
65 wchar_t dest[50] = L"";
66 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
67 memmove(dest, data, wcslen(data)*sizeof(wchar_t));
68 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
69 printWLine(data);
70 free(data);
71 }
72 }
73}
74
75void good()
76{
77 goodG2B();
78}
79
80#endif /* OMITGOOD */
81
82} /* close namespace */
83
84/* Below is the main(). It is only used when building this testcase on
85 * its own for testing or for building a binary to use in testing binary
86 * analysis tools. It is not used when compiling all the testcases as one
87 * application, which is how source code analysis tools are tested.
88 */
89#ifdef INCLUDEMAIN
90
91using namespace CWE122_Heap_Based_Buffer_Overflow__c_CWE806_wchar_t_memmove_33; /* so that we can use good and bad easily */
92
93int main(int argc, char * argv[])
94{
95 /* seed randomness */
96 srand( (unsigned)time(NULL) );
97#ifndef OMITGOOD
98 printLine("Calling good()...");
99 good();
100 printLine("Finished good()");
101#endif /* OMITGOOD */
102#ifndef OMITBAD
103 printLine("Calling bad()...");
104 bad();
105 printLine("Finished bad()");
106#endif /* OMITBAD */
107 return 0;
108}
109
110#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8149: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_snprintf_02.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_snprintf_02.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-02.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: snprintf
12 * BadSink : Copy string to data using snprintf
13 * Flow Variant: 02 Control flow: if(1) and if(0)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifdef _WIN32
22#define SNPRINTF _snprintf
23#else
24#define SNPRINTF snprintf
25#endif
26
27#ifndef OMITBAD
28
29void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_snprintf_02_bad()
30{
31 char * data;
32 char dataBadBuffer[50];
33 char dataGoodBuffer[100];
34 if(1)
35 {
36 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
37 * buffer in various memory copying functions using a "large" source buffer. */
38 data = dataBadBuffer;
39 data[0] = '\0'; /* null terminate */
40 }
41 {
42 char source[100];
43 memset(source, 'C', 100-1); /* fill with 'C's */
44 source[100-1] = '\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
46 SNPRINTF(data, 100, "%s", source);❗VULN
47 printLine(data);
48 }
49}
50
51#endif /* OMITBAD */
52
53#ifndef OMITGOOD
54
55/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */
56static void goodG2B1()
57{
58 char * data;
59 char dataBadBuffer[50];
60 char dataGoodBuffer[100];
61 if(0)
62 {
63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
64 printLine("Benign, fixed string");
65 }
66 else
67 {
68 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
69 data = dataGoodBuffer;
70 data[0] = '\0'; /* null terminate */
71 }
72 {
73 char source[100];
74 memset(source, 'C', 100-1); /* fill with 'C's */
75 source[100-1] = '\0'; /* null terminate */
76 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
77 SNPRINTF(data, 100, "%s", source);
78 printLine(data);
79 }
80}
81
82/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
83static void goodG2B2()
84{
85 char * data;
86 char dataBadBuffer[50];
87 char dataGoodBuffer[100];
88 if(1)
89 {
90 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
91 data = dataGoodBuffer;
92 data[0] = '\0'; /* null terminate */
93 }
94 {
95 char source[100];
96 memset(source, 'C', 100-1); /* fill with 'C's */
97 source[100-1] = '\0'; /* null terminate */
98 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
99 SNPRINTF(data, 100, "%s", source);
100 printLine(data);
101 }
102}
103
104void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_snprintf_02_good()
105{
106 goodG2B1();
107 goodG2B2();
108}
109
110#endif /* OMITGOOD */
111
112/* Below is the main(). It is only used when building this testcase on
113 * its own for testing or for building a binary to use in testing binary
114 * analysis tools. It is not used when compiling all the testcases as one
115 * application, which is how source code analysis tools are tested.
116 */
117
118#ifdef INCLUDEMAIN
119
120int main(int argc, char * argv[])
121{
122 /* seed randomness */
123 srand( (unsigned)time(NULL) );
124#ifndef OMITGOOD
125 printLine("Calling good()...");
126 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_snprintf_02_good();
127 printLine("Finished good()");
128#endif /* OMITGOOD */
129#ifndef OMITBAD
130 printLine("Calling bad()...");
131 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_declare_snprintf_02_bad();
132 printLine("Finished bad()");
133#endif /* OMITBAD */
134 return 0;
135}
136
137#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1665: CWE124_Buffer_Underwrite__CWE839_connect_socket_02.c

Nodes: 41 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__CWE839_connect_socket_02.c
3Label Definition File: CWE124_Buffer_Underwrite__CWE839.label.xml
4Template File: sources-sinks-02.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: connect_socket Read data using a connect socket (client side)
10 * GoodSource: Non-negative but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the lower bound
14 * Flow Variant: 02 Control flow: if(1) and if(0)
15 *
16 * */
17
18#include "std_testcase.h"
19
20#ifdef _WIN32
21#include <winsock2.h>
22#include <windows.h>
23#include <direct.h>
24#pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */
25#define CLOSE_SOCKET closesocket
26#else /* NOT _WIN32 */
27#include <sys/types.h>
28#include <sys/socket.h>
29#include <netinet/in.h>
30#include <arpa/inet.h>
31#include <unistd.h>
32#define INVALID_SOCKET -1
33#define SOCKET_ERROR -1
34#define CLOSE_SOCKET close
35#define SOCKET int
36#endif
37
38#define TCP_PORT 27015
39#define IP_ADDRESS "127.0.0.1"
40#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)
41
42#ifndef OMITBAD
43
44void CWE124_Buffer_Underwrite__CWE839_connect_socket_02_bad()
45{
46 int data;
47 /* Initialize data */
48 data = -1;
49 if(1)
50 {
51 {
52#ifdef _WIN32
53 WSADATA wsaData;
54 int wsaDataInit = 0;
55#endif
56 int recvResult;
57 struct sockaddr_in service;
58 SOCKET connectSocket = INVALID_SOCKET;
59 char inputBuffer[CHAR_ARRAY_SIZE];
60 do
61 {
62#ifdef _WIN32
63 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
64 {
65 break;
66 }
67 wsaDataInit = 1;
68#endif
69 /* POTENTIAL FLAW: Read data using a connect socket */
70 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
71 if (connectSocket == INVALID_SOCKET)
72 {
73 break;
74 }
75 memset(&service, 0, sizeof(service));
76 service.sin_family = AF_INET;
77 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);
78 service.sin_port = htons(TCP_PORT);
79 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
80 {
81 break;
82 }
83 /* Abort on error or the connection was closed, make sure to recv one
84 * less char than is in the recv_buf in order to append a terminator */
85 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
86 if (recvResult == SOCKET_ERROR || recvResult == 0)
87 {
88 break;
89 }
90 /* NUL-terminate the string */
91 inputBuffer[recvResult] = '\0';
92 /* Convert to int */
93 data = atoi(inputBuffer);
94 }
95 while (0);
96 if (connectSocket != INVALID_SOCKET)
97 {
98 CLOSE_SOCKET(connectSocket);
99 }
100#ifdef _WIN32
101 if (wsaDataInit)
102 {
103 WSACleanup();
104 }
105#endif
106 }
107 }
108 if(1)
109 {
110 {
111 int i;
112 int buffer[10] = { 0 };
113 /* POTENTIAL FLAW: Attempt to access a negative index of the array
114 * This code does not check to see if the array index is negative */
115 if (data < 10)
116 {
117 buffer[data] = 1;❗VULN
118 /* Print the array values */
119 for(i = 0; i < 10; i++)
120 {
121 printIntLine(buffer[i]);
122 }
123 }
124 else
125 {
126 printLine("ERROR: Array index is negative.");
127 }
128 }
129 }
130}
131
132#endif /* OMITBAD */
133
134#ifndef OMITGOOD
135
136/* goodB2G1() - use badsource and goodsink by changing the second 1 to 0 */
137static void goodB2G1()
138{
139 int data;
140 /* Initialize data */
141 data = -1;
142 if(1)
143 {
144 {
145#ifdef _WIN32
146 WSADATA wsaData;
147 int wsaDataInit = 0;
148#endif
149 int recvResult;
150 struct sockaddr_in service;
151 SOCKET connectSocket = INVALID_SOCKET;
152 char inputBuffer[CHAR_ARRAY_SIZE];
153 do
154 {
155#ifdef _WIN32
156 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
157 {
158 break;
159 }
160 wsaDataInit = 1;
161#endif
162 /* POTENTIAL FLAW: Read data using a connect socket */
163 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
164 if (connectSocket == INVALID_SOCKET)
165 {
166 break;
167 }
168 memset(&service, 0, sizeof(service));
169 service.sin_family = AF_INET;
170 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);
171 service.sin_port = htons(TCP_PORT);
172 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
173 {
174 break;
175 }
176 /* Abort on error or the connection was closed, make sure to recv one
177 * less char than is in the recv_buf in order to append a terminator */
178 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
179 if (recvResult == SOCKET_ERROR || recvResult == 0)
180 {
181 break;
182 }
183 /* NUL-terminate the string */
184 inputBuffer[recvResult] = '\0';
185 /* Convert to int */
186 data = atoi(inputBuffer);
187 }
188 while (0);
189 if (connectSocket != INVALID_SOCKET)
190 {
191 CLOSE_SOCKET(connectSocket);
192 }
193#ifdef _WIN32
194 if (wsaDataInit)
195 {
196 WSACleanup();
197 }
198#endif
199 }
200 }
201 if(0)
202 {
203 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
204 printLine("Benign, fixed string");
205 }
206 else
207 {
208 {
209 int i;
210 int buffer[10] = { 0 };
211 /* FIX: Properly validate the array index and prevent a buffer underwrite */
212 if (data >= 0 && data < (10))
213 {
214 buffer[data] = 1;
215 /* Print the array values */
216 for(i = 0; i < 10; i++)
217 {
218 printIntLine(buffer[i]);
219 }
220 }
221 else
222 {
223 printLine("ERROR: Array index is out-of-bounds");
224 }
225 }
226 }
227}
228
229/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */
230static void goodB2G2()
231{
232 int data;
233 /* Initialize data */
234 data = -1;
235 if(1)
236 {
237 {
238#ifdef _WIN32
239 WSADATA wsaData;
240 int wsaDataInit = 0;
241#endif
242 int recvResult;
243 struct sockaddr_in service;
244 SOCKET connectSocket = INVALID_SOCKET;
245 char inputBuffer[CHAR_ARRAY_SIZE];
246 do
247 {
248#ifdef _WIN32
249 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
250 {
251 break;
252 }
253 wsaDataInit = 1;
254#endif
255 /* POTENTIAL FLAW: Read data using a connect socket */
256 connectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
257 if (connectSocket == INVALID_SOCKET)
258 {
259 break;
260 }
261 memset(&service, 0, sizeof(service));
262 service.sin_family = AF_INET;
263 service.sin_addr.s_addr = inet_addr(IP_ADDRESS);
264 service.sin_port = htons(TCP_PORT);
265 if (connect(connectSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
266 {
267 break;
268 }
269 /* Abort on error or the connection was closed, make sure to recv one
270 * less char than is in the recv_buf in order to append a terminator */
271 recvResult = recv(connectSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
272 if (recvResult == SOCKET_ERROR || recvResult == 0)
273 {
274 break;
275 }
276 /* NUL-terminate the string */
277 inputBuffer[recvResult] = '\0';
278 /* Convert to int */
279 data = atoi(inputBuffer);
280 }
281 while (0);
282 if (connectSocket != INVALID_SOCKET)
283 {
284 CLOSE_SOCKET(connectSocket);
285 }
286#ifdef _WIN32
287 if (wsaDataInit)
288 {
289 WSACleanup();
290 }
291#endif
292 }
293 }
294 if(1)
295 {
296 {
297 int i;
298 int buffer[10] = { 0 };
299 /* FIX: Properly validate the array index and prevent a buffer underwrite */
300 if (data >= 0 && data < (10))
301 {
302 buffer[data] = 1;
303 /* Print the array values */
304 for(i = 0; i < 10; i++)
305 {
306 printIntLine(buffer[i]);
307 }
308 }
309 else
310 {
311 printLine("ERROR: Array index is out-of-bounds");
312 }
313 }
314 }
315}
316
317/* goodG2B1() - use goodsource and badsink by changing the first 1 to 0 */
318static void goodG2B1()
319{
320 int data;
321 /* Initialize data */
322 data = -1;
323 if(0)
324 {
325 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
326 printLine("Benign, fixed string");
327 }
328 else
329 {
330 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
331 * access an index of the array in the sink that is out-of-bounds */
332 data = 7;
333 }
334 if(1)
335 {
336 {
337 int i;
338 int buffer[10] = { 0 };
339 /* POTENTIAL FLAW: Attempt to access a negative index of the array
340 * This code does not check to see if the array index is negative */
341 if (data < 10)
342 {
343 buffer[data] = 1;
344 /* Print the array values */
345 for(i = 0; i < 10; i++)
346 {
347 printIntLine(buffer[i]);
348 }
349 }
350 else
351 {
352 printLine("ERROR: Array index is negative.");
353 }
354 }
355 }
356}
357
358/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */
359static void goodG2B2()
360{
361 int data;
362 /* Initialize data */
363 data = -1;
364 if(1)
365 {
366 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
367 * access an index of the array in the sink that is out-of-bounds */
368 data = 7;
369 }
370 if(1)
371 {
372 {
373 int i;
374 int buffer[10] = { 0 };
375 /* POTENTIAL FLAW: Attempt to access a negative index of the array
376 * This code does not check to see if the array index is negative */
377 if (data < 10)
378 {
379 buffer[data] = 1;
380 /* Print the array values */
381 for(i = 0; i < 10; i++)
382 {
383 printIntLine(buffer[i]);
384 }
385 }
386 else
387 {
388 printLine("ERROR: Array index is negative.");
389 }
390 }
391 }
392}
393
394void CWE124_Buffer_Underwrite__CWE839_connect_socket_02_good()
395{
396 goodB2G1();
397 goodB2G2();
398 goodG2B1();
399 goodG2B2();
400}
401
402#endif /* OMITGOOD */
403
404/* Below is the main(). It is only used when building this testcase on
405 its own for testing or for building a binary to use in testing binary
406 analysis tools. It is not used when compiling all the testcases as one
407 application, which is how source code analysis tools are tested. */
408
409#ifdef INCLUDEMAIN
410
411int main(int argc, char * argv[])
412{
413 /* seed randomness */
414 srand( (unsigned)time(NULL) );
415#ifndef OMITGOOD
416 printLine("Calling good()...");
417 CWE124_Buffer_Underwrite__CWE839_connect_socket_02_good();
418 printLine("Finished good()");
419#endif /* OMITGOOD */
420#ifndef OMITBAD
421 printLine("Calling bad()...");
422 CWE124_Buffer_Underwrite__CWE839_connect_socket_02_bad();
423 printLine("Finished bad()");
424#endif /* OMITBAD */
425 return 0;
426}
427
428#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3469: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_memcpy_15.cpp

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_memcpy_15.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml
4Template File: sources-sink-15.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: memcpy
12 * BadSink : Copy data to string using memcpy
13 * Flow Variant: 15 Control flow: switch(6)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_memcpy_15
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 wchar_t * data;
29 data = new wchar_t[100];
30 switch(6)
31 {
32 case 6:
33 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
34 wmemset(data, L'A', 100-1); /* fill with L'A's */
35 data[100-1] = L'\0'; /* null terminate */
36 break;
37 default:
38 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
39 printLine("Benign, fixed string");
40 break;
41 }
42 {
43 wchar_t dest[50] = L"";
44 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
45 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));❗VULN
46 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
47 printWLine(data);
48 delete [] data;
49 }
50}
51
52#endif /* OMITBAD */
53
54#ifndef OMITGOOD
55
56/* goodG2B1() - use goodsource and badsink by changing the switch to switch(5) */
57static void goodG2B1()
58{
59 wchar_t * data;
60 data = new wchar_t[100];
61 switch(5)
62 {
63 case 6:
64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
65 printLine("Benign, fixed string");
66 break;
67 default:
68 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
69 wmemset(data, L'A', 50-1); /* fill with L'A's */
70 data[50-1] = L'\0'; /* null terminate */
71 break;
72 }
73 {
74 wchar_t dest[50] = L"";
75 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
76 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));
77 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
78 printWLine(data);
79 delete [] data;
80 }
81}
82
83/* goodG2B2() - use goodsource and badsink by reversing the blocks in the switch */
84static void goodG2B2()
85{
86 wchar_t * data;
87 data = new wchar_t[100];
88 switch(6)
89 {
90 case 6:
91 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
92 wmemset(data, L'A', 50-1); /* fill with L'A's */
93 data[50-1] = L'\0'; /* null terminate */
94 break;
95 default:
96 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
97 printLine("Benign, fixed string");
98 break;
99 }
100 {
101 wchar_t dest[50] = L"";
102 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
103 memcpy(dest, data, wcslen(data)*sizeof(wchar_t));
104 dest[50-1] = L'\0'; /* Ensure the destination buffer is null terminated */
105 printWLine(data);
106 delete [] data;
107 }
108}
109
110void good()
111{
112 goodG2B1();
113 goodG2B2();
114}
115
116#endif /* OMITGOOD */
117
118} /* close namespace */
119
120/* Below is the main(). It is only used when building this testcase on
121 its own for testing or for building a binary to use in testing binary
122 analysis tools. It is not used when compiling all the testcases as one
123 application, which is how source code analysis tools are tested. */
124
125#ifdef INCLUDEMAIN
126
127using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_wchar_t_memcpy_15; /* so that we can use good and bad easily */
128
129int main(int argc, char * argv[])
130{
131 /* seed randomness */
132 srand( (unsigned)time(NULL) );
133#ifndef OMITGOOD
134 printLine("Calling good()...");
135 good();
136 printLine("Finished good()");
137#endif /* OMITGOOD */
138#ifndef OMITBAD
139 printLine("Calling bad()...");
140 bad();
141 printLine("Finished bad()");
142#endif /* OMITBAD */
143 return 0;
144}
145
146#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7358: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_06.c

Nodes: 8 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_06.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-06.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: memmove
12 * BadSink : Copy int array to data using memmove
13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19/* The variable below is declared "const", so a tool should be able
20 * to identify that reads of this will always give its initialized value. */
21static const int STATIC_CONST_FIVE = 5;
22
23#ifndef OMITBAD
24
25void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_06_bad()
26{
27 int * data;
28 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));
29 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));
30 if(STATIC_CONST_FIVE==5)
31 {
32 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
33 * buffer in various memory copying functions using a "large" source buffer. */
34 data = dataBadBuffer;
35 }
36 {
37 int source[100] = {0}; /* fill with 0's */
38 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
39 memmove(data, source, 100*sizeof(int));❗VULN
40 printIntLine(data[0]);
41 }
42}
43
44#endif /* OMITBAD */
45
46#ifndef OMITGOOD
47
48/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */
49static void goodG2B1()
50{
51 int * data;
52 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));
53 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));
54 if(STATIC_CONST_FIVE!=5)
55 {
56 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
57 printLine("Benign, fixed string");
58 }
59 else
60 {
61 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
62 data = dataGoodBuffer;
63 }
64 {
65 int source[100] = {0}; /* fill with 0's */
66 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
67 memmove(data, source, 100*sizeof(int));
68 printIntLine(data[0]);
69 }
70}
71
72/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
73static void goodG2B2()
74{
75 int * data;
76 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));
77 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));
78 if(STATIC_CONST_FIVE==5)
79 {
80 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
81 data = dataGoodBuffer;
82 }
83 {
84 int source[100] = {0}; /* fill with 0's */
85 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
86 memmove(data, source, 100*sizeof(int));
87 printIntLine(data[0]);
88 }
89}
90
91void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_06_good()
92{
93 goodG2B1();
94 goodG2B2();
95}
96
97#endif /* OMITGOOD */
98
99/* Below is the main(). It is only used when building this testcase on
100 * its own for testing or for building a binary to use in testing binary
101 * analysis tools. It is not used when compiling all the testcases as one
102 * application, which is how source code analysis tools are tested.
103 */
104
105#ifdef INCLUDEMAIN
106
107int main(int argc, char * argv[])
108{
109 /* seed randomness */
110 srand( (unsigned)time(NULL) );
111#ifndef OMITGOOD
112 printLine("Calling good()...");
113 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_06_good();
114 printLine("Finished good()");
115#endif /* OMITGOOD */
116#ifndef OMITBAD
117 printLine("Calling bad()...");
118 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_06_bad();
119 printLine("Finished bad()");
120#endif /* OMITBAD */
121 return 0;
122}
123
124#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8656: CWE126_Buffer_Overread__wchar_t_alloca_loop_32.c

Nodes: 24 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__wchar_t_alloca_loop_32.c
3Label Definition File: CWE126_Buffer_Overread.stack.label.xml
4Template File: sources-sink-32.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Set data pointer to a small buffer
10 * GoodSource: Set data pointer to a large buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE126_Buffer_Overread__wchar_t_alloca_loop_32_bad()
24{
25 wchar_t * data;
26 wchar_t * *dataPtr1 = &data;
27 wchar_t * *dataPtr2 = &data;
28 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
29 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
30 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */
31 dataBadBuffer[50-1] = L'\0'; /* null terminate */
32 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */
33 dataGoodBuffer[100-1] = L'\0'; /* null terminate */
34 {
35 wchar_t * data = *dataPtr1;
36 /* FLAW: Set data pointer to a small buffer */
37 data = dataBadBuffer;
38 *dataPtr1 = data;
39 }
40 {
41 wchar_t * data = *dataPtr2;
42 {
43 size_t i, destLen;
44 wchar_t dest[100];
45 wmemset(dest, L'C', 100-1);
46 dest[100-1] = L'\0'; /* null terminate */
47 destLen = wcslen(dest);
48 /* POTENTIAL FLAW: using length of the dest where data
49 * could be smaller than dest causing buffer overread */
50 for (i = 0; i < destLen; i++)
51 {
52 dest[i] = data[i];❗VULN
53 }
54 dest[100-1] = L'\0';
55 printWLine(dest);
56 }
57 }
58}
59
60#endif /* OMITBAD */
61
62#ifndef OMITGOOD
63
64/* goodG2B() uses the GoodSource with the BadSink */
65static void goodG2B()
66{
67 wchar_t * data;
68 wchar_t * *dataPtr1 = &data;
69 wchar_t * *dataPtr2 = &data;
70 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
71 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
72 wmemset(dataBadBuffer, L'A', 50-1); /* fill with 'A's */
73 dataBadBuffer[50-1] = L'\0'; /* null terminate */
74 wmemset(dataGoodBuffer, L'A', 100-1); /* fill with 'A's */
75 dataGoodBuffer[100-1] = L'\0'; /* null terminate */
76 {
77 wchar_t * data = *dataPtr1;
78 /* FIX: Set data pointer to a large buffer */
79 data = dataGoodBuffer;
80 *dataPtr1 = data;
81 }
82 {
83 wchar_t * data = *dataPtr2;
84 {
85 size_t i, destLen;
86 wchar_t dest[100];
87 wmemset(dest, L'C', 100-1);
88 dest[100-1] = L'\0'; /* null terminate */
89 destLen = wcslen(dest);
90 /* POTENTIAL FLAW: using length of the dest where data
91 * could be smaller than dest causing buffer overread */
92 for (i = 0; i < destLen; i++)
93 {
94 dest[i] = data[i];
95 }
96 dest[100-1] = L'\0';
97 printWLine(dest);
98 }
99 }
100}
101
102void CWE126_Buffer_Overread__wchar_t_alloca_loop_32_good()
103{
104 goodG2B();
105}
106
107#endif /* OMITGOOD */
108
109/* Below is the main(). It is only used when building this testcase on
110 * its own for testing or for building a binary to use in testing binary
111 * analysis tools. It is not used when compiling all the testcases as one
112 * application, which is how source code analysis tools are tested.
113 */
114#ifdef INCLUDEMAIN
115
116int main(int argc, char * argv[])
117{
118 /* seed randomness */
119 srand( (unsigned)time(NULL) );
120#ifndef OMITGOOD
121 printLine("Calling good()...");
122 CWE126_Buffer_Overread__wchar_t_alloca_loop_32_good();
123 printLine("Finished good()");
124#endif /* OMITGOOD */
125#ifndef OMITBAD
126 printLine("Calling bad()...");
127 CWE126_Buffer_Overread__wchar_t_alloca_loop_32_bad();
128 printLine("Finished bad()");
129#endif /* OMITBAD */
130 return 0;
131}
132
133#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 5028: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_11.c

Nodes: 8 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_11.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-11.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: memmove
12 * BadSink : Copy int array to data using memmove
13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_11_bad()
22{
23 int * data;
24 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));
25 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));
26 if(globalReturnsTrue())
27 {
28 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
29 * buffer in various memory copying functions using a "large" source buffer. */
30 data = dataBadBuffer;
31 }
32 {
33 int source[100] = {0}; /* fill with 0's */
34 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
35 memmove(data, source, 100*sizeof(int));❗VULN
36 printIntLine(data[0]);
37 }
38}
39
40#endif /* OMITBAD */
41
42#ifndef OMITGOOD
43
44/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */
45static void goodG2B1()
46{
47 int * data;
48 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));
49 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));
50 if(globalReturnsFalse())
51 {
52 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
53 printLine("Benign, fixed string");
54 }
55 else
56 {
57 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
58 data = dataGoodBuffer;
59 }
60 {
61 int source[100] = {0}; /* fill with 0's */
62 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
63 memmove(data, source, 100*sizeof(int));
64 printIntLine(data[0]);
65 }
66}
67
68/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
69static void goodG2B2()
70{
71 int * data;
72 int * dataBadBuffer = (int *)ALLOCA(50*sizeof(int));
73 int * dataGoodBuffer = (int *)ALLOCA(100*sizeof(int));
74 if(globalReturnsTrue())
75 {
76 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
77 data = dataGoodBuffer;
78 }
79 {
80 int source[100] = {0}; /* fill with 0's */
81 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
82 memmove(data, source, 100*sizeof(int));
83 printIntLine(data[0]);
84 }
85}
86
87void CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_11_good()
88{
89 goodG2B1();
90 goodG2B2();
91}
92
93#endif /* OMITGOOD */
94
95/* Below is the main(). It is only used when building this testcase on
96 * its own for testing or for building a binary to use in testing binary
97 * analysis tools. It is not used when compiling all the testcases as one
98 * application, which is how source code analysis tools are tested.
99 */
100
101#ifdef INCLUDEMAIN
102
103int main(int argc, char * argv[])
104{
105 /* seed randomness */
106 srand( (unsigned)time(NULL) );
107#ifndef OMITGOOD
108 printLine("Calling good()...");
109 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_11_good();
110 printLine("Finished good()");
111#endif /* OMITGOOD */
112#ifndef OMITBAD
113 printLine("Calling bad()...");
114 CWE121_Stack_Based_Buffer_Overflow__CWE805_int_alloca_memmove_11_bad();
115 printLine("Finished bad()");
116#endif /* OMITBAD */
117 return 0;
118}
119
120#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1673: CWE124_Buffer_Underwrite__malloc_wchar_t_ncpy_11.c

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__malloc_wchar_t_ncpy_11.c
3Label Definition File: CWE124_Buffer_Underwrite__malloc.label.xml
4Template File: sources-sink-11.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: ncpy
12 * BadSink : Copy string to data using wcsncpy
13 * Flow Variant: 11 Control flow: if(globalReturnsTrue()) and if(globalReturnsFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE124_Buffer_Underwrite__malloc_wchar_t_ncpy_11_bad()
24{
25 wchar_t * data;
26 data = NULL;
27 if(globalReturnsTrue())
28 {
29 {
30 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
31 if (dataBuffer == NULL) {exit(-1);}
32 wmemset(dataBuffer, L'A', 100-1);
33 dataBuffer[100-1] = L'\0';
34 /* FLAW: Set data pointer to before the allocated memory buffer */
35 data = dataBuffer - 8;
36 }
37 }
38 {
39 wchar_t source[100];
40 wmemset(source, L'C', 100-1); /* fill with 'C's */
41 source[100-1] = L'\0'; /* null terminate */
42 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
43 wcsncpy(data, source, 100-1);❗VULN
44 /* Ensure the destination buffer is null terminated */
45 data[100-1] = L'\0';
46 printWLine(data);
47 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
48 * returned by malloc() so can't safely call free() on it */
49 }
50}
51
52#endif /* OMITBAD */
53
54#ifndef OMITGOOD
55
56/* goodG2B1() - use goodsource and badsink by changing the globalReturnsTrue() to globalReturnsFalse() */
57static void goodG2B1()
58{
59 wchar_t * data;
60 data = NULL;
61 if(globalReturnsFalse())
62 {
63 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
64 printLine("Benign, fixed string");
65 }
66 else
67 {
68 {
69 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
70 if (dataBuffer == NULL) {exit(-1);}
71 wmemset(dataBuffer, L'A', 100-1);
72 dataBuffer[100-1] = L'\0';
73 /* FIX: Set data pointer to the allocated memory buffer */
74 data = dataBuffer;
75 }
76 }
77 {
78 wchar_t source[100];
79 wmemset(source, L'C', 100-1); /* fill with 'C's */
80 source[100-1] = L'\0'; /* null terminate */
81 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
82 wcsncpy(data, source, 100-1);
83 /* Ensure the destination buffer is null terminated */
84 data[100-1] = L'\0';
85 printWLine(data);
86 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
87 * returned by malloc() so can't safely call free() on it */
88 }
89}
90
91/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
92static void goodG2B2()
93{
94 wchar_t * data;
95 data = NULL;
96 if(globalReturnsTrue())
97 {
98 {
99 wchar_t * dataBuffer = (wchar_t *)malloc(100*sizeof(wchar_t));
100 if (dataBuffer == NULL) {exit(-1);}
101 wmemset(dataBuffer, L'A', 100-1);
102 dataBuffer[100-1] = L'\0';
103 /* FIX: Set data pointer to the allocated memory buffer */
104 data = dataBuffer;
105 }
106 }
107 {
108 wchar_t source[100];
109 wmemset(source, L'C', 100-1); /* fill with 'C's */
110 source[100-1] = L'\0'; /* null terminate */
111 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
112 wcsncpy(data, source, 100-1);
113 /* Ensure the destination buffer is null terminated */
114 data[100-1] = L'\0';
115 printWLine(data);
116 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
117 * returned by malloc() so can't safely call free() on it */
118 }
119}
120
121void CWE124_Buffer_Underwrite__malloc_wchar_t_ncpy_11_good()
122{
123 goodG2B1();
124 goodG2B2();
125}
126
127#endif /* OMITGOOD */
128
129/* Below is the main(). It is only used when building this testcase on
130 * its own for testing or for building a binary to use in testing binary
131 * analysis tools. It is not used when compiling all the testcases as one
132 * application, which is how source code analysis tools are tested.
133 */
134
135#ifdef INCLUDEMAIN
136
137int main(int argc, char * argv[])
138{
139 /* seed randomness */
140 srand( (unsigned)time(NULL) );
141#ifndef OMITGOOD
142 printLine("Calling good()...");
143 CWE124_Buffer_Underwrite__malloc_wchar_t_ncpy_11_good();
144 printLine("Finished good()");
145#endif /* OMITGOOD */
146#ifndef OMITBAD
147 printLine("Calling bad()...");
148 CWE124_Buffer_Underwrite__malloc_wchar_t_ncpy_11_bad();
149 printLine("Finished bad()");
150#endif /* OMITBAD */
151 return 0;
152}
153
154#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7161: CWE127_Buffer_Underread__wchar_t_declare_ncpy_14.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__wchar_t_declare_ncpy_14.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-14.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: ncpy
12 * BadSink : Copy data to string using wcsncpy
13 * Flow Variant: 14 Control flow: if(globalFive==5) and if(globalFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__wchar_t_declare_ncpy_14_bad()
24{
25 wchar_t * data;
26 wchar_t dataBuffer[100];
27 wmemset(dataBuffer, L'A', 100-1);
28 dataBuffer[100-1] = L'\0';
29 if(globalFive==5)
30 {
31 /* FLAW: Set data pointer to before the allocated memory buffer */
32 data = dataBuffer - 8;
33 }
34 {
35 wchar_t dest[100];
36 wmemset(dest, L'C', 100-1); /* fill with 'C's */
37 dest[100-1] = L'\0'; /* null terminate */
38 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
39 wcsncpy(dest, data, wcslen(dest));❗VULN
40 /* Ensure null termination */
41 dest[100-1] = L'\0';
42 printWLine(dest);
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50/* goodG2B1() - use goodsource and badsink by changing the globalFive==5 to globalFive!=5 */
51static void goodG2B1()
52{
53 wchar_t * data;
54 wchar_t dataBuffer[100];
55 wmemset(dataBuffer, L'A', 100-1);
56 dataBuffer[100-1] = L'\0';
57 if(globalFive!=5)
58 {
59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
60 printLine("Benign, fixed string");
61 }
62 else
63 {
64 /* FIX: Set data pointer to the allocated memory buffer */
65 data = dataBuffer;
66 }
67 {
68 wchar_t dest[100];
69 wmemset(dest, L'C', 100-1); /* fill with 'C's */
70 dest[100-1] = L'\0'; /* null terminate */
71 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
72 wcsncpy(dest, data, wcslen(dest));
73 /* Ensure null termination */
74 dest[100-1] = L'\0';
75 printWLine(dest);
76 }
77}
78
79/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
80static void goodG2B2()
81{
82 wchar_t * data;
83 wchar_t dataBuffer[100];
84 wmemset(dataBuffer, L'A', 100-1);
85 dataBuffer[100-1] = L'\0';
86 if(globalFive==5)
87 {
88 /* FIX: Set data pointer to the allocated memory buffer */
89 data = dataBuffer;
90 }
91 {
92 wchar_t dest[100];
93 wmemset(dest, L'C', 100-1); /* fill with 'C's */
94 dest[100-1] = L'\0'; /* null terminate */
95 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
96 wcsncpy(dest, data, wcslen(dest));
97 /* Ensure null termination */
98 dest[100-1] = L'\0';
99 printWLine(dest);
100 }
101}
102
103void CWE127_Buffer_Underread__wchar_t_declare_ncpy_14_good()
104{
105 goodG2B1();
106 goodG2B2();
107}
108
109#endif /* OMITGOOD */
110
111/* Below is the main(). It is only used when building this testcase on
112 * its own for testing or for building a binary to use in testing binary
113 * analysis tools. It is not used when compiling all the testcases as one
114 * application, which is how source code analysis tools are tested.
115 */
116
117#ifdef INCLUDEMAIN
118
119int main(int argc, char * argv[])
120{
121 /* seed randomness */
122 srand( (unsigned)time(NULL) );
123#ifndef OMITGOOD
124 printLine("Calling good()...");
125 CWE127_Buffer_Underread__wchar_t_declare_ncpy_14_good();
126 printLine("Finished good()");
127#endif /* OMITGOOD */
128#ifndef OMITBAD
129 printLine("Calling bad()...");
130 CWE127_Buffer_Underread__wchar_t_declare_ncpy_14_bad();
131 printLine("Finished bad()");
132#endif /* OMITBAD */
133 return 0;
134}
135
136#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 7823: CWE121_Stack_Based_Buffer_Overflow__CWE193_char_alloca_loop_07.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_char_alloca_loop_07.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml
4Template File: sources-sink-07.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Point data to a buffer that does not have space for a NULL terminator
10 * GoodSource: Point data to a buffer that includes space for a NULL terminator
11 * Sink: loop
12 * BadSink : Copy array to data using a loop
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING "AAAAAAAAAA"
25
26/* The variable below is not declared "const", but is never assigned
27 * any other value so a tool should be able to identify that reads of
28 * this will always give its initialized value.
29 */
30static int staticFive = 5;
31
32#ifndef OMITBAD
33
34void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_alloca_loop_07_bad()
35{
36 char * data;
37 char * dataBadBuffer = (char *)ALLOCA((10)*sizeof(char));
38 char * dataGoodBuffer = (char *)ALLOCA((10+1)*sizeof(char));
39 if(staticFive==5)
40 {
41 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing
42 * string copies in the sinks */
43 data = dataBadBuffer;
44 data[0] = '\0'; /* null terminate */
45 }
46 {
47 char source[10+1] = SRC_STRING;
48 size_t i, sourceLen;
49 sourceLen = strlen(source);
50 /* Copy length + 1 to include NUL terminator from source */
51 /* POTENTIAL FLAW: data may not have enough space to hold source */
52 for (i = 0; i < sourceLen + 1; i++)
53 {
54 data[i] = source[i];❗VULN
55 }
56 printLine(data);
57 }
58}
59
60#endif /* OMITBAD */
61
62#ifndef OMITGOOD
63
64/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
65static void goodG2B1()
66{
67 char * data;
68 char * dataBadBuffer = (char *)ALLOCA((10)*sizeof(char));
69 char * dataGoodBuffer = (char *)ALLOCA((10+1)*sizeof(char));
70 if(staticFive!=5)
71 {
72 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
73 printLine("Benign, fixed string");
74 }
75 else
76 {
77 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
78 * string copies in the sinks */
79 data = dataGoodBuffer;
80 data[0] = '\0'; /* null terminate */
81 }
82 {
83 char source[10+1] = SRC_STRING;
84 size_t i, sourceLen;
85 sourceLen = strlen(source);
86 /* Copy length + 1 to include NUL terminator from source */
87 /* POTENTIAL FLAW: data may not have enough space to hold source */
88 for (i = 0; i < sourceLen + 1; i++)
89 {
90 data[i] = source[i];
91 }
92 printLine(data);
93 }
94}
95
96/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
97static void goodG2B2()
98{
99 char * data;
100 char * dataBadBuffer = (char *)ALLOCA((10)*sizeof(char));
101 char * dataGoodBuffer = (char *)ALLOCA((10+1)*sizeof(char));
102 if(staticFive==5)
103 {
104 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
105 * string copies in the sinks */
106 data = dataGoodBuffer;
107 data[0] = '\0'; /* null terminate */
108 }
109 {
110 char source[10+1] = SRC_STRING;
111 size_t i, sourceLen;
112 sourceLen = strlen(source);
113 /* Copy length + 1 to include NUL terminator from source */
114 /* POTENTIAL FLAW: data may not have enough space to hold source */
115 for (i = 0; i < sourceLen + 1; i++)
116 {
117 data[i] = source[i];
118 }
119 printLine(data);
120 }
121}
122
123void CWE121_Stack_Based_Buffer_Overflow__CWE193_char_alloca_loop_07_good()
124{
125 goodG2B1();
126 goodG2B2();
127}
128
129#endif /* OMITGOOD */
130
131/* Below is the main(). It is only used when building this testcase on
132 * its own for testing or for building a binary to use in testing binary
133 * analysis tools. It is not used when compiling all the testcases as one
134 * application, which is how source code analysis tools are tested.
135 */
136
137#ifdef INCLUDEMAIN
138
139int main(int argc, char * argv[])
140{
141 /* seed randomness */
142 srand( (unsigned)time(NULL) );
143#ifndef OMITGOOD
144 printLine("Calling good()...");
145 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_alloca_loop_07_good();
146 printLine("Finished good()");
147#endif /* OMITGOOD */
148#ifndef OMITBAD
149 printLine("Calling bad()...");
150 CWE121_Stack_Based_Buffer_Overflow__CWE193_char_alloca_loop_07_bad();
151 printLine("Finished bad()");
152#endif /* OMITBAD */
153 return 0;
154}
155
156#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8328: CWE123_Write_What_Where_Condition__fgets_61a.c

Nodes: 11 | Sink Nodes: 2 predicted, 2 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* Error: Could not load file CWE123_Write_What_Where_Condition__fgets_61a.c: File CWE123_Write_What_Where_Condition__fgets_61a.c not found in any subfolder of /home/nimana11/Thesis/codes/VulExplainerExp-84ED_2/datasets/buffer overflow/function/testcases/CWE123_Write_What_Where_Condition */

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8808: CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_07.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_07.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE193.label.xml
4Template File: sources-sink-07.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Point data to a buffer that does not have space for a NULL terminator
10 * GoodSource: Point data to a buffer that includes space for a NULL terminator
11 * Sink: loop
12 * BadSink : Copy array to data using a loop
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING L"AAAAAAAAAA"
25
26/* The variable below is not declared "const", but is never assigned
27 * any other value so a tool should be able to identify that reads of
28 * this will always give its initialized value.
29 */
30static int staticFive = 5;
31
32#ifndef OMITBAD
33
34void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_07_bad()
35{
36 wchar_t * data;
37 wchar_t dataBadBuffer[10];
38 wchar_t dataGoodBuffer[10+1];
39 if(staticFive==5)
40 {
41 /* FLAW: Set a pointer to a buffer that does not leave room for a NULL terminator when performing
42 * string copies in the sinks */
43 data = dataBadBuffer;
44 data[0] = L'\0'; /* null terminate */
45 }
46 {
47 wchar_t source[10+1] = SRC_STRING;
48 size_t i, sourceLen;
49 sourceLen = wcslen(source);
50 /* Copy length + 1 to include NUL terminator from source */
51 /* POTENTIAL FLAW: data may not have enough space to hold source */
52 for (i = 0; i < sourceLen + 1; i++)
53 {
54 data[i] = source[i];❗VULN
55 }
56 printWLine(data);
57 }
58}
59
60#endif /* OMITBAD */
61
62#ifndef OMITGOOD
63
64/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
65static void goodG2B1()
66{
67 wchar_t * data;
68 wchar_t dataBadBuffer[10];
69 wchar_t dataGoodBuffer[10+1];
70 if(staticFive!=5)
71 {
72 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
73 printLine("Benign, fixed string");
74 }
75 else
76 {
77 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
78 * string copies in the sinks */
79 data = dataGoodBuffer;
80 data[0] = L'\0'; /* null terminate */
81 }
82 {
83 wchar_t source[10+1] = SRC_STRING;
84 size_t i, sourceLen;
85 sourceLen = wcslen(source);
86 /* Copy length + 1 to include NUL terminator from source */
87 /* POTENTIAL FLAW: data may not have enough space to hold source */
88 for (i = 0; i < sourceLen + 1; i++)
89 {
90 data[i] = source[i];
91 }
92 printWLine(data);
93 }
94}
95
96/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
97static void goodG2B2()
98{
99 wchar_t * data;
100 wchar_t dataBadBuffer[10];
101 wchar_t dataGoodBuffer[10+1];
102 if(staticFive==5)
103 {
104 /* FIX: Set a pointer to a buffer that leaves room for a NULL terminator when performing
105 * string copies in the sinks */
106 data = dataGoodBuffer;
107 data[0] = L'\0'; /* null terminate */
108 }
109 {
110 wchar_t source[10+1] = SRC_STRING;
111 size_t i, sourceLen;
112 sourceLen = wcslen(source);
113 /* Copy length + 1 to include NUL terminator from source */
114 /* POTENTIAL FLAW: data may not have enough space to hold source */
115 for (i = 0; i < sourceLen + 1; i++)
116 {
117 data[i] = source[i];
118 }
119 printWLine(data);
120 }
121}
122
123void CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_07_good()
124{
125 goodG2B1();
126 goodG2B2();
127}
128
129#endif /* OMITGOOD */
130
131/* Below is the main(). It is only used when building this testcase on
132 * its own for testing or for building a binary to use in testing binary
133 * analysis tools. It is not used when compiling all the testcases as one
134 * application, which is how source code analysis tools are tested.
135 */
136
137#ifdef INCLUDEMAIN
138
139int main(int argc, char * argv[])
140{
141 /* seed randomness */
142 srand( (unsigned)time(NULL) );
143#ifndef OMITGOOD
144 printLine("Calling good()...");
145 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_07_good();
146 printLine("Finished good()");
147#endif /* OMITGOOD */
148#ifndef OMITBAD
149 printLine("Calling bad()...");
150 CWE121_Stack_Based_Buffer_Overflow__CWE193_wchar_t_declare_loop_07_bad();
151 printLine("Finished bad()");
152#endif /* OMITBAD */
153 return 0;
154}
155
156#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9605: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_07.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_07.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-07.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: memcpy
12 * BadSink : Copy twoIntsStruct array to data using memcpy
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19/* The variable below is not declared "const", but is never assigned
20 * any other value so a tool should be able to identify that reads of
21 * this will always give its initialized value.
22 */
23static int staticFive = 5;
24
25#ifndef OMITBAD
26
27void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_07_bad()
28{
29 twoIntsStruct * data;
30 twoIntsStruct dataBadBuffer[50];
31 twoIntsStruct dataGoodBuffer[100];
32 if(staticFive==5)
33 {
34 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
35 * buffer in various memory copying functions using a "large" source buffer. */
36 data = dataBadBuffer;
37 }
38 {
39 twoIntsStruct source[100];
40 {
41 size_t i;
42 /* Initialize array */
43 for (i = 0; i < 100; i++)
44 {
45 source[i].intOne = 0;
46 source[i].intTwo = 0;
47 }
48 }
49 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
50 memcpy(data, source, 100*sizeof(twoIntsStruct));❗VULN
51 printStructLine(&data[0]);
52 }
53}
54
55#endif /* OMITBAD */
56
57#ifndef OMITGOOD
58
59/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
60static void goodG2B1()
61{
62 twoIntsStruct * data;
63 twoIntsStruct dataBadBuffer[50];
64 twoIntsStruct dataGoodBuffer[100];
65 if(staticFive!=5)
66 {
67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
68 printLine("Benign, fixed string");
69 }
70 else
71 {
72 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
73 data = dataGoodBuffer;
74 }
75 {
76 twoIntsStruct source[100];
77 {
78 size_t i;
79 /* Initialize array */
80 for (i = 0; i < 100; i++)
81 {
82 source[i].intOne = 0;
83 source[i].intTwo = 0;
84 }
85 }
86 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
87 memcpy(data, source, 100*sizeof(twoIntsStruct));
88 printStructLine(&data[0]);
89 }
90}
91
92/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
93static void goodG2B2()
94{
95 twoIntsStruct * data;
96 twoIntsStruct dataBadBuffer[50];
97 twoIntsStruct dataGoodBuffer[100];
98 if(staticFive==5)
99 {
100 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
101 data = dataGoodBuffer;
102 }
103 {
104 twoIntsStruct source[100];
105 {
106 size_t i;
107 /* Initialize array */
108 for (i = 0; i < 100; i++)
109 {
110 source[i].intOne = 0;
111 source[i].intTwo = 0;
112 }
113 }
114 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
115 memcpy(data, source, 100*sizeof(twoIntsStruct));
116 printStructLine(&data[0]);
117 }
118}
119
120void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_07_good()
121{
122 goodG2B1();
123 goodG2B2();
124}
125
126#endif /* OMITGOOD */
127
128/* Below is the main(). It is only used when building this testcase on
129 * its own for testing or for building a binary to use in testing binary
130 * analysis tools. It is not used when compiling all the testcases as one
131 * application, which is how source code analysis tools are tested.
132 */
133
134#ifdef INCLUDEMAIN
135
136int main(int argc, char * argv[])
137{
138 /* seed randomness */
139 srand( (unsigned)time(NULL) );
140#ifndef OMITGOOD
141 printLine("Calling good()...");
142 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_07_good();
143 printLine("Finished good()");
144#endif /* OMITGOOD */
145#ifndef OMITBAD
146 printLine("Calling bad()...");
147 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memcpy_07_bad();
148 printLine("Finished bad()");
149#endif /* OMITBAD */
150 return 0;
151}
152
153#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3804: CWE123_Write_What_Where_Condition__listen_socket_14.c

Nodes: 44 | Sink Nodes: 2 predicted, 2 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* Error: Could not load file CWE123_Write_What_Where_Condition__listen_socket_14.c: File CWE123_Write_What_Where_Condition__listen_socket_14.c not found in any subfolder of /home/nimana11/Thesis/codes/VulExplainerExp-84ED_2/datasets/buffer overflow/function/testcases/CWE123_Write_What_Where_Condition */

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6884: CWE126_Buffer_Overread__char_declare_memmove_06.c

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__char_declare_memmove_06.c
3Label Definition File: CWE126_Buffer_Overread.stack.label.xml
4Template File: sources-sink-06.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Set data pointer to a small buffer
10 * GoodSource: Set data pointer to a large buffer
11 * Sink: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is declared "const", so a tool should be able
22 * to identify that reads of this will always give its initialized value. */
23static const int STATIC_CONST_FIVE = 5;
24
25#ifndef OMITBAD
26
27void CWE126_Buffer_Overread__char_declare_memmove_06_bad()
28{
29 char * data;
30 char dataBadBuffer[50];
31 char dataGoodBuffer[100];
32 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */
33 dataBadBuffer[50-1] = '\0'; /* null terminate */
34 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */
35 dataGoodBuffer[100-1] = '\0'; /* null terminate */
36 if(STATIC_CONST_FIVE==5)
37 {
38 /* FLAW: Set data pointer to a small buffer */
39 data = dataBadBuffer;
40 }
41 {
42 char dest[100];
43 memset(dest, 'C', 100-1);
44 dest[100-1] = '\0'; /* null terminate */
45 /* POTENTIAL FLAW: using memmove with the length of the dest where data
46 * could be smaller than dest causing buffer overread */
47 memmove(dest, data, strlen(dest)*sizeof(char));❗VULN
48 dest[100-1] = '\0';
49 printLine(dest);
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */
58static void goodG2B1()
59{
60 char * data;
61 char dataBadBuffer[50];
62 char dataGoodBuffer[100];
63 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */
64 dataBadBuffer[50-1] = '\0'; /* null terminate */
65 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */
66 dataGoodBuffer[100-1] = '\0'; /* null terminate */
67 if(STATIC_CONST_FIVE!=5)
68 {
69 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
70 printLine("Benign, fixed string");
71 }
72 else
73 {
74 /* FIX: Set data pointer to a large buffer */
75 data = dataGoodBuffer;
76 }
77 {
78 char dest[100];
79 memset(dest, 'C', 100-1);
80 dest[100-1] = '\0'; /* null terminate */
81 /* POTENTIAL FLAW: using memmove with the length of the dest where data
82 * could be smaller than dest causing buffer overread */
83 memmove(dest, data, strlen(dest)*sizeof(char));
84 dest[100-1] = '\0';
85 printLine(dest);
86 }
87}
88
89/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
90static void goodG2B2()
91{
92 char * data;
93 char dataBadBuffer[50];
94 char dataGoodBuffer[100];
95 memset(dataBadBuffer, 'A', 50-1); /* fill with 'A's */
96 dataBadBuffer[50-1] = '\0'; /* null terminate */
97 memset(dataGoodBuffer, 'A', 100-1); /* fill with 'A's */
98 dataGoodBuffer[100-1] = '\0'; /* null terminate */
99 if(STATIC_CONST_FIVE==5)
100 {
101 /* FIX: Set data pointer to a large buffer */
102 data = dataGoodBuffer;
103 }
104 {
105 char dest[100];
106 memset(dest, 'C', 100-1);
107 dest[100-1] = '\0'; /* null terminate */
108 /* POTENTIAL FLAW: using memmove with the length of the dest where data
109 * could be smaller than dest causing buffer overread */
110 memmove(dest, data, strlen(dest)*sizeof(char));
111 dest[100-1] = '\0';
112 printLine(dest);
113 }
114}
115
116void CWE126_Buffer_Overread__char_declare_memmove_06_good()
117{
118 goodG2B1();
119 goodG2B2();
120}
121
122#endif /* OMITGOOD */
123
124/* Below is the main(). It is only used when building this testcase on
125 * its own for testing or for building a binary to use in testing binary
126 * analysis tools. It is not used when compiling all the testcases as one
127 * application, which is how source code analysis tools are tested.
128 */
129
130#ifdef INCLUDEMAIN
131
132int main(int argc, char * argv[])
133{
134 /* seed randomness */
135 srand( (unsigned)time(NULL) );
136#ifndef OMITGOOD
137 printLine("Calling good()...");
138 CWE126_Buffer_Overread__char_declare_memmove_06_good();
139 printLine("Finished good()");
140#endif /* OMITGOOD */
141#ifndef OMITBAD
142 printLine("Calling bad()...");
143 CWE126_Buffer_Overread__char_declare_memmove_06_bad();
144 printLine("Finished bad()");
145#endif /* OMITBAD */
146 return 0;
147}
148
149#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4880: CWE127_Buffer_Underread__new_char_loop_21.cpp

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__new_char_loop_21.cpp
3Label Definition File: CWE127_Buffer_Underread__new.label.xml
4Template File: sources-sink-21.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 21 Control flow: Flow controlled by value of a static global variable. All functions contained in one file.
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE127_Buffer_Underread__new_char_loop_21
22{
23
24#ifndef OMITBAD
25
26/* The static variable below is used to drive control flow in the source function */
27static int badStatic = 0;
28
29static char * badSource(char * data)
30{
31 if(badStatic)
32 {
33 {
34 char * dataBuffer = new char[100];
35 memset(dataBuffer, 'A', 100-1);
36 dataBuffer[100-1] = '\0';
37 /* FLAW: Set data pointer to before the allocated memory buffer */
38 data = dataBuffer - 8;
39 }
40 }
41 return data;
42}
43
44void bad()
45{
46 char * data;
47 data = NULL;
48 badStatic = 1; /* true */
49 data = badSource(data);
50 {
51 size_t i;
52 char dest[100];
53 memset(dest, 'C', 100-1); /* fill with 'C's */
54 dest[100-1] = '\0'; /* null terminate */
55 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
56 for (i = 0; i < 100; i++)
57 {
58 dest[i] = data[i];❗VULN
59 }
60 /* Ensure null termination */
61 dest[100-1] = '\0';
62 printLine(dest);
63 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
64 * returned by new [] so can't safely call delete [] on it */
65 }
66 ;
67}
68
69#endif /* OMITBAD */
70
71#ifndef OMITGOOD
72
73/* The static variables below are used to drive control flow in the source functions. */
74static int goodG2B1Static = 0;
75static int goodG2B2Static = 0;
76
77/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */
78static char * goodG2B1Source(char * data)
79{
80 if(goodG2B1Static)
81 {
82 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
83 printLine("Benign, fixed string");
84 }
85 else
86 {
87 {
88 char * dataBuffer = new char[100];
89 memset(dataBuffer, 'A', 100-1);
90 dataBuffer[100-1] = '\0';
91 /* FIX: Set data pointer to the allocated memory buffer */
92 data = dataBuffer;
93 }
94 }
95 return data;
96}
97
98static void goodG2B1()
99{
100 char * data;
101 data = NULL;
102 goodG2B1Static = 0; /* false */
103 data = goodG2B1Source(data);
104 {
105 size_t i;
106 char dest[100];
107 memset(dest, 'C', 100-1); /* fill with 'C's */
108 dest[100-1] = '\0'; /* null terminate */
109 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
110 for (i = 0; i < 100; i++)
111 {
112 dest[i] = data[i];
113 }
114 /* Ensure null termination */
115 dest[100-1] = '\0';
116 printLine(dest);
117 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
118 * returned by new [] so can't safely call delete [] on it */
119 }
120 ;
121}
122
123/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */
124static char * goodG2B2Source(char * data)
125{
126 if(goodG2B2Static)
127 {
128 {
129 char * dataBuffer = new char[100];
130 memset(dataBuffer, 'A', 100-1);
131 dataBuffer[100-1] = '\0';
132 /* FIX: Set data pointer to the allocated memory buffer */
133 data = dataBuffer;
134 }
135 }
136 return data;
137}
138
139static void goodG2B2()
140{
141 char * data;
142 data = NULL;
143 goodG2B2Static = 1; /* true */
144 data = goodG2B2Source(data);
145 {
146 size_t i;
147 char dest[100];
148 memset(dest, 'C', 100-1); /* fill with 'C's */
149 dest[100-1] = '\0'; /* null terminate */
150 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
151 for (i = 0; i < 100; i++)
152 {
153 dest[i] = data[i];
154 }
155 /* Ensure null termination */
156 dest[100-1] = '\0';
157 printLine(dest);
158 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
159 * returned by new [] so can't safely call delete [] on it */
160 }
161 ;
162}
163
164void good()
165{
166 goodG2B1();
167 goodG2B2();
168}
169
170#endif /* OMITGOOD */
171
172} /* close namespace */
173
174/* Below is the main(). It is only used when building this testcase on
175 its own for testing or for building a binary to use in testing binary
176 analysis tools. It is not used when compiling all the testcases as one
177 application, which is how source code analysis tools are tested. */
178
179#ifdef INCLUDEMAIN
180
181using namespace CWE127_Buffer_Underread__new_char_loop_21; /* so that we can use good and bad easily */
182
183int main(int argc, char * argv[])
184{
185 /* seed randomness */
186 srand( (unsigned)time(NULL) );
187#ifndef OMITGOOD
188 printLine("Calling good()...");
189 good();
190 printLine("Finished good()");
191#endif /* OMITGOOD */
192#ifndef OMITBAD
193 printLine("Calling bad()...");
194 bad();
195 printLine("Finished bad()");
196#endif /* OMITBAD */
197 return 0;
198}
199
200#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2566: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_34.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_34.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE193.label.xml
4Template File: sources-sink-34.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory for a string, but do not allocate space for NULL terminator
10 * GoodSource: Allocate enough memory for a string and the NULL terminator
11 * Sinks: memmove
12 * BadSink : Copy string to data using memmove()
13 * Flow Variant: 34 Data flow: use of a union containing two methods of accessing the same data (within the same function)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef _WIN32
20#include <wchar.h>
21#endif
22
23/* MAINTENANCE NOTE: The length of this string should equal the 10 */
24#define SRC_STRING "AAAAAAAAAA"
25
26typedef union
27{
28 char * unionFirst;
29 char * unionSecond;
30} CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_34_unionType;
31
32#ifndef OMITBAD
33
34void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_34_bad()
35{
36 char * data;
37 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_34_unionType myUnion;
38 data = NULL;
39 /* FLAW: Did not leave space for a null terminator */
40 data = (char *)malloc(10*sizeof(char));
41 if (data == NULL) {exit(-1);}
42 myUnion.unionFirst = data;
43 {
44 char * data = myUnion.unionSecond;
45 {
46 char source[10+1] = SRC_STRING;
47 /* Copy length + 1 to include NUL terminator from source */
48 /* POTENTIAL FLAW: data may not have enough space to hold source */
49 memmove(data, source, (strlen(source) + 1) * sizeof(char));❗VULN
50 printLine(data);
51 free(data);
52 }
53 }
54}
55
56#endif /* OMITBAD */
57
58#ifndef OMITGOOD
59
60/* goodG2B() uses the GoodSource with the BadSink */
61static void goodG2B()
62{
63 char * data;
64 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_34_unionType myUnion;
65 data = NULL;
66 /* FIX: Allocate space for a null terminator */
67 data = (char *)malloc((10+1)*sizeof(char));
68 if (data == NULL) {exit(-1);}
69 myUnion.unionFirst = data;
70 {
71 char * data = myUnion.unionSecond;
72 {
73 char source[10+1] = SRC_STRING;
74 /* Copy length + 1 to include NUL terminator from source */
75 /* POTENTIAL FLAW: data may not have enough space to hold source */
76 memmove(data, source, (strlen(source) + 1) * sizeof(char));
77 printLine(data);
78 free(data);
79 }
80 }
81}
82
83void CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_34_good()
84{
85 goodG2B();
86}
87
88#endif /* OMITGOOD */
89
90/* Below is the main(). It is only used when building this testcase on
91 * its own for testing or for building a binary to use in testing binary
92 * analysis tools. It is not used when compiling all the testcases as one
93 * application, which is how source code analysis tools are tested.
94 */
95#ifdef INCLUDEMAIN
96
97int main(int argc, char * argv[])
98{
99 /* seed randomness */
100 srand( (unsigned)time(NULL) );
101#ifndef OMITGOOD
102 printLine("Calling good()...");
103 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_34_good();
104 printLine("Finished good()");
105#endif /* OMITGOOD */
106#ifndef OMITBAD
107 printLine("Calling bad()...");
108 CWE122_Heap_Based_Buffer_Overflow__c_CWE193_char_memmove_34_bad();
109 printLine("Finished bad()");
110#endif /* OMITBAD */
111 return 0;
112}
113
114#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 202: CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_02.c

Nodes: 9 | Sink Nodes: 7 predicted, 2 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_02.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__sizeof.label.xml
4Template File: sources-sink-02.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize the source buffer using the size of a pointer
10 * GoodSource: Initialize the source buffer using the size of the DataElementType
11 * Sink:
12 * BadSink : Print then free data
13 * Flow Variant: 02 Control flow: if(1) and if(0)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_02_bad()
22{
23 int64_t * data;
24 /* Initialize data */
25 data = NULL;
26 if(1)
27 {
28 /* INCIDENTAL: CWE-467 (Use of sizeof() on a pointer type) */
29 /* FLAW: Using sizeof the pointer and not the data type in malloc() */
30 data = (int64_t *)malloc(sizeof(data));
31 if (data == NULL) {exit(-1);}
32 *data = 2147483643LL;❗VULN
33 }
34 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */
35 printLongLongLine(*data);❗VULN
36 free(data);
37}
38
39#endif /* OMITBAD */
40
41#ifndef OMITGOOD
42
43/* goodG2B1() - use goodsource and badsink by changing the 1 to 0 */
44static void goodG2B1()
45{
46 int64_t * data;
47 /* Initialize data */
48 data = NULL;
49 if(0)
50 {
51 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
52 printLine("Benign, fixed string");
53 }
54 else
55 {
56 /* FIX: Using sizeof the data type in malloc() */
57 data = (int64_t *)malloc(sizeof(*data));
58 if (data == NULL) {exit(-1);}
59 *data = 2147483643LL;
60 }
61 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */
62 printLongLongLine(*data);
63 free(data);
64}
65
66/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
67static void goodG2B2()
68{
69 int64_t * data;
70 /* Initialize data */
71 data = NULL;
72 if(1)
73 {
74 /* FIX: Using sizeof the data type in malloc() */
75 data = (int64_t *)malloc(sizeof(*data));
76 if (data == NULL) {exit(-1);}
77 *data = 2147483643LL;
78 }
79 /* POTENTIAL FLAW: Attempt to use data, which may not have enough memory allocated */
80 printLongLongLine(*data);
81 free(data);
82}
83
84void CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_02_good()
85{
86 goodG2B1();
87 goodG2B2();
88}
89
90#endif /* OMITGOOD */
91
92/* Below is the main(). It is only used when building this testcase on
93 * its own for testing or for building a binary to use in testing binary
94 * analysis tools. It is not used when compiling all the testcases as one
95 * application, which is how source code analysis tools are tested.
96 */
97
98#ifdef INCLUDEMAIN
99
100int main(int argc, char * argv[])
101{
102 /* seed randomness */
103 srand( (unsigned)time(NULL) );
104#ifndef OMITGOOD
105 printLine("Calling good()...");
106 CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_02_good();
107 printLine("Finished good()");
108#endif /* OMITGOOD */
109#ifndef OMITBAD
110 printLine("Calling bad()...");
111 CWE122_Heap_Based_Buffer_Overflow__sizeof_int64_t_02_bad();
112 printLine("Finished bad()");
113#endif /* OMITBAD */
114 return 0;
115}
116
117#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6424: CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_04.c

Nodes: 21 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_04.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE129.label.xml
4Template File: sources-sinks-04.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: rand Set data to result of rand(), which may be zero
10 * GoodSource: Larger than zero but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the upper bound
14 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)
15 *
16 * */
17
18#include "std_testcase.h"
19
20/* The two variables below are declared "const", so a tool should
21 be able to identify that reads of these will always return their
22 initialized values. */
23static const int STATIC_CONST_TRUE = 1; /* true */
24static const int STATIC_CONST_FALSE = 0; /* false */
25
26#ifndef OMITBAD
27
28void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_04_bad()
29{
30 int data;
31 /* Initialize data */
32 data = -1;
33 if(STATIC_CONST_TRUE)
34 {
35 /* POTENTIAL FLAW: Set data to a random value */
36 data = RAND32();
37 }
38 if(STATIC_CONST_TRUE)
39 {
40 {
41 int i;
42 int * buffer = (int *)malloc(10 * sizeof(int));
43 if (buffer == NULL) {exit(-1);}
44 /* initialize buffer */
45 for (i = 0; i < 10; i++)
46 {
47 buffer[i] = 0;
48 }
49 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
50 * This code does check to see if the array index is negative */
51 if (data >= 0)
52 {
53 buffer[data] = 1;❗VULN
54 /* Print the array values */
55 for(i = 0; i < 10; i++)
56 {
57 printIntLine(buffer[i]);
58 }
59 }
60 else
61 {
62 printLine("ERROR: Array index is negative.");
63 }
64 free(buffer);
65 }
66 }
67}
68
69#endif /* OMITBAD */
70
71#ifndef OMITGOOD
72
73/* goodB2G1() - use badsource and goodsink by changing the second STATIC_CONST_TRUE to STATIC_CONST_FALSE */
74static void goodB2G1()
75{
76 int data;
77 /* Initialize data */
78 data = -1;
79 if(STATIC_CONST_TRUE)
80 {
81 /* POTENTIAL FLAW: Set data to a random value */
82 data = RAND32();
83 }
84 if(STATIC_CONST_FALSE)
85 {
86 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
87 printLine("Benign, fixed string");
88 }
89 else
90 {
91 {
92 int i;
93 int * buffer = (int *)malloc(10 * sizeof(int));
94 if (buffer == NULL) {exit(-1);}
95 /* initialize buffer */
96 for (i = 0; i < 10; i++)
97 {
98 buffer[i] = 0;
99 }
100 /* FIX: Properly validate the array index and prevent a buffer overflow */
101 if (data >= 0 && data < (10))
102 {
103 buffer[data] = 1;
104 /* Print the array values */
105 for(i = 0; i < 10; i++)
106 {
107 printIntLine(buffer[i]);
108 }
109 }
110 else
111 {
112 printLine("ERROR: Array index is out-of-bounds");
113 }
114 free(buffer);
115 }
116 }
117}
118
119/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */
120static void goodB2G2()
121{
122 int data;
123 /* Initialize data */
124 data = -1;
125 if(STATIC_CONST_TRUE)
126 {
127 /* POTENTIAL FLAW: Set data to a random value */
128 data = RAND32();
129 }
130 if(STATIC_CONST_TRUE)
131 {
132 {
133 int i;
134 int * buffer = (int *)malloc(10 * sizeof(int));
135 if (buffer == NULL) {exit(-1);}
136 /* initialize buffer */
137 for (i = 0; i < 10; i++)
138 {
139 buffer[i] = 0;
140 }
141 /* FIX: Properly validate the array index and prevent a buffer overflow */
142 if (data >= 0 && data < (10))
143 {
144 buffer[data] = 1;
145 /* Print the array values */
146 for(i = 0; i < 10; i++)
147 {
148 printIntLine(buffer[i]);
149 }
150 }
151 else
152 {
153 printLine("ERROR: Array index is out-of-bounds");
154 }
155 free(buffer);
156 }
157 }
158}
159
160/* goodG2B1() - use goodsource and badsink by changing the first STATIC_CONST_TRUE to STATIC_CONST_FALSE */
161static void goodG2B1()
162{
163 int data;
164 /* Initialize data */
165 data = -1;
166 if(STATIC_CONST_FALSE)
167 {
168 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
169 printLine("Benign, fixed string");
170 }
171 else
172 {
173 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
174 * access an index of the array in the sink that is out-of-bounds */
175 data = 7;
176 }
177 if(STATIC_CONST_TRUE)
178 {
179 {
180 int i;
181 int * buffer = (int *)malloc(10 * sizeof(int));
182 if (buffer == NULL) {exit(-1);}
183 /* initialize buffer */
184 for (i = 0; i < 10; i++)
185 {
186 buffer[i] = 0;
187 }
188 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
189 * This code does check to see if the array index is negative */
190 if (data >= 0)
191 {
192 buffer[data] = 1;
193 /* Print the array values */
194 for(i = 0; i < 10; i++)
195 {
196 printIntLine(buffer[i]);
197 }
198 }
199 else
200 {
201 printLine("ERROR: Array index is negative.");
202 }
203 free(buffer);
204 }
205 }
206}
207
208/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */
209static void goodG2B2()
210{
211 int data;
212 /* Initialize data */
213 data = -1;
214 if(STATIC_CONST_TRUE)
215 {
216 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
217 * access an index of the array in the sink that is out-of-bounds */
218 data = 7;
219 }
220 if(STATIC_CONST_TRUE)
221 {
222 {
223 int i;
224 int * buffer = (int *)malloc(10 * sizeof(int));
225 if (buffer == NULL) {exit(-1);}
226 /* initialize buffer */
227 for (i = 0; i < 10; i++)
228 {
229 buffer[i] = 0;
230 }
231 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
232 * This code does check to see if the array index is negative */
233 if (data >= 0)
234 {
235 buffer[data] = 1;
236 /* Print the array values */
237 for(i = 0; i < 10; i++)
238 {
239 printIntLine(buffer[i]);
240 }
241 }
242 else
243 {
244 printLine("ERROR: Array index is negative.");
245 }
246 free(buffer);
247 }
248 }
249}
250
251void CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_04_good()
252{
253 goodB2G1();
254 goodB2G2();
255 goodG2B1();
256 goodG2B2();
257}
258
259#endif /* OMITGOOD */
260
261/* Below is the main(). It is only used when building this testcase on
262 its own for testing or for building a binary to use in testing binary
263 analysis tools. It is not used when compiling all the testcases as one
264 application, which is how source code analysis tools are tested. */
265
266#ifdef INCLUDEMAIN
267
268int main(int argc, char * argv[])
269{
270 /* seed randomness */
271 srand( (unsigned)time(NULL) );
272#ifndef OMITGOOD
273 printLine("Calling good()...");
274 CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_04_good();
275 printLine("Finished good()");
276#endif /* OMITGOOD */
277#ifndef OMITBAD
278 printLine("Calling bad()...");
279 CWE122_Heap_Based_Buffer_Overflow__c_CWE129_rand_04_bad();
280 printLine("Finished bad()");
281#endif /* OMITBAD */
282 return 0;
283}
284
285#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1612: CWE126_Buffer_Overread__new_wchar_t_memmove_06.cpp

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__new_wchar_t_memmove_06.cpp
3Label Definition File: CWE126_Buffer_Overread__new.label.xml
4Template File: sources-sink-06.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Over-read
9 * BadSource: Use a small buffer
10 * GoodSource: Use a large buffer
11 * Sink: memmove
12 * BadSink : Copy data to string using memmove
13 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The variable below is declared "const", so a tool should be able
22 to identify that reads of this will always give its initialized
23 value. */
24static const int STATIC_CONST_FIVE = 5;
25
26namespace CWE126_Buffer_Overread__new_wchar_t_memmove_06
27{
28
29#ifndef OMITBAD
30
31void bad()
32{
33 wchar_t * data;
34 data = NULL;
35 if(STATIC_CONST_FIVE==5)
36 {
37 /* FLAW: Use a small buffer */
38 data = new wchar_t[50];
39 wmemset(data, L'A', 50-1); /* fill with 'A's */
40 data[50-1] = L'\0'; /* null terminate */
41 }
42 {
43 wchar_t dest[100];
44 wmemset(dest, L'C', 100-1);
45 dest[100-1] = L'\0'; /* null terminate */
46 /* POTENTIAL FLAW: using memmove with the length of the dest where data
47 * could be smaller than dest causing buffer overread */
48 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));❗VULN
49 dest[100-1] = L'\0';
50 printWLine(dest);
51 delete [] data;
52 }
53}
54
55#endif /* OMITBAD */
56
57#ifndef OMITGOOD
58
59/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */
60static void goodG2B1()
61{
62 wchar_t * data;
63 data = NULL;
64 if(STATIC_CONST_FIVE!=5)
65 {
66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
67 printLine("Benign, fixed string");
68 }
69 else
70 {
71 /* FIX: Use a large buffer */
72 data = new wchar_t[100];
73 wmemset(data, L'A', 100-1); /* fill with 'A's */
74 data[100-1] = L'\0'; /* null terminate */
75 }
76 {
77 wchar_t dest[100];
78 wmemset(dest, L'C', 100-1);
79 dest[100-1] = L'\0'; /* null terminate */
80 /* POTENTIAL FLAW: using memmove with the length of the dest where data
81 * could be smaller than dest causing buffer overread */
82 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));
83 dest[100-1] = L'\0';
84 printWLine(dest);
85 delete [] data;
86 }
87}
88
89/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
90static void goodG2B2()
91{
92 wchar_t * data;
93 data = NULL;
94 if(STATIC_CONST_FIVE==5)
95 {
96 /* FIX: Use a large buffer */
97 data = new wchar_t[100];
98 wmemset(data, L'A', 100-1); /* fill with 'A's */
99 data[100-1] = L'\0'; /* null terminate */
100 }
101 {
102 wchar_t dest[100];
103 wmemset(dest, L'C', 100-1);
104 dest[100-1] = L'\0'; /* null terminate */
105 /* POTENTIAL FLAW: using memmove with the length of the dest where data
106 * could be smaller than dest causing buffer overread */
107 memmove(dest, data, wcslen(dest)*sizeof(wchar_t));
108 dest[100-1] = L'\0';
109 printWLine(dest);
110 delete [] data;
111 }
112}
113
114void good()
115{
116 goodG2B1();
117 goodG2B2();
118}
119
120#endif /* OMITGOOD */
121
122} /* close namespace */
123
124/* Below is the main(). It is only used when building this testcase on
125 its own for testing or for building a binary to use in testing binary
126 analysis tools. It is not used when compiling all the testcases as one
127 application, which is how source code analysis tools are tested. */
128
129#ifdef INCLUDEMAIN
130
131using namespace CWE126_Buffer_Overread__new_wchar_t_memmove_06; /* so that we can use good and bad easily */
132
133int main(int argc, char * argv[])
134{
135 /* seed randomness */
136 srand( (unsigned)time(NULL) );
137#ifndef OMITGOOD
138 printLine("Calling good()...");
139 good();
140 printLine("Finished good()");
141#endif /* OMITGOOD */
142#ifndef OMITBAD
143 printLine("Calling bad()...");
144 bad();
145 printLine("Finished bad()");
146#endif /* OMITBAD */
147 return 0;
148}
149
150#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2062: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_snprintf_32.c

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_snprintf_32.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-32.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: snprintf
12 * BadSink : Copy string to data using snprintf
13 * Flow Variant: 32 Data flow using two pointers to the same value within the same function
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifdef _WIN32
22#define SNPRINTF _snprintf
23#else
24#define SNPRINTF snprintf
25#endif
26
27#ifndef OMITBAD
28
29void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_snprintf_32_bad()
30{
31 char * data;
32 char * *dataPtr1 = &data;
33 char * *dataPtr2 = &data;
34 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
35 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
36 {
37 char * data = *dataPtr1;
38 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
39 * buffer in various memory copying functions using a "large" source buffer. */
40 data = dataBadBuffer;
41 data[0] = '\0'; /* null terminate */
42 *dataPtr1 = data;
43 }
44 {
45 char * data = *dataPtr2;
46 {
47 char source[100];
48 memset(source, 'C', 100-1); /* fill with 'C's */
49 source[100-1] = '\0'; /* null terminate */
50 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
51 SNPRINTF(data, 100, "%s", source);❗VULN
52 printLine(data);
53 }
54 }
55}
56
57#endif /* OMITBAD */
58
59#ifndef OMITGOOD
60
61/* goodG2B() uses the GoodSource with the BadSink */
62static void goodG2B()
63{
64 char * data;
65 char * *dataPtr1 = &data;
66 char * *dataPtr2 = &data;
67 char * dataBadBuffer = (char *)ALLOCA(50*sizeof(char));
68 char * dataGoodBuffer = (char *)ALLOCA(100*sizeof(char));
69 {
70 char * data = *dataPtr1;
71 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
72 data = dataGoodBuffer;
73 data[0] = '\0'; /* null terminate */
74 *dataPtr1 = data;
75 }
76 {
77 char * data = *dataPtr2;
78 {
79 char source[100];
80 memset(source, 'C', 100-1); /* fill with 'C's */
81 source[100-1] = '\0'; /* null terminate */
82 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
83 SNPRINTF(data, 100, "%s", source);
84 printLine(data);
85 }
86 }
87}
88
89void CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_snprintf_32_good()
90{
91 goodG2B();
92}
93
94#endif /* OMITGOOD */
95
96/* Below is the main(). It is only used when building this testcase on
97 * its own for testing or for building a binary to use in testing binary
98 * analysis tools. It is not used when compiling all the testcases as one
99 * application, which is how source code analysis tools are tested.
100 */
101#ifdef INCLUDEMAIN
102
103int main(int argc, char * argv[])
104{
105 /* seed randomness */
106 srand( (unsigned)time(NULL) );
107#ifndef OMITGOOD
108 printLine("Calling good()...");
109 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_snprintf_32_good();
110 printLine("Finished good()");
111#endif /* OMITGOOD */
112#ifndef OMITBAD
113 printLine("Calling bad()...");
114 CWE121_Stack_Based_Buffer_Overflow__CWE805_char_alloca_snprintf_32_bad();
115 printLine("Finished bad()");
116#endif /* OMITBAD */
117 return 0;
118}
119
120#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 8711: CWE127_Buffer_Underread__wchar_t_alloca_loop_15.c

Nodes: 21 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__wchar_t_alloca_loop_15.c
3Label Definition File: CWE127_Buffer_Underread.stack.label.xml
4Template File: sources-sink-15.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy data to string using a loop
13 * Flow Variant: 15 Control flow: switch(6)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__wchar_t_alloca_loop_15_bad()
24{
25 wchar_t * data;
26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
27 wmemset(dataBuffer, L'A', 100-1);
28 dataBuffer[100-1] = L'\0';
29 switch(6)
30 {
31 case 6:
32 /* FLAW: Set data pointer to before the allocated memory buffer */
33 data = dataBuffer - 8;
34 break;
35 default:
36 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
37 printLine("Benign, fixed string");
38 break;
39 }
40 {
41 size_t i;
42 wchar_t dest[100];
43 wmemset(dest, L'C', 100-1); /* fill with 'C's */
44 dest[100-1] = L'\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
46 for (i = 0; i < 100; i++)
47 {
48 dest[i] = data[i];❗VULN
49 }
50 /* Ensure null termination */
51 dest[100-1] = L'\0';
52 printWLine(dest);
53 }
54}
55
56#endif /* OMITBAD */
57
58#ifndef OMITGOOD
59
60/* goodG2B1() - use goodsource and badsink by changing the switch to switch(5) */
61static void goodG2B1()
62{
63 wchar_t * data;
64 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
65 wmemset(dataBuffer, L'A', 100-1);
66 dataBuffer[100-1] = L'\0';
67 switch(5)
68 {
69 case 6:
70 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
71 printLine("Benign, fixed string");
72 break;
73 default:
74 /* FIX: Set data pointer to the allocated memory buffer */
75 data = dataBuffer;
76 break;
77 }
78 {
79 size_t i;
80 wchar_t dest[100];
81 wmemset(dest, L'C', 100-1); /* fill with 'C's */
82 dest[100-1] = L'\0'; /* null terminate */
83 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
84 for (i = 0; i < 100; i++)
85 {
86 dest[i] = data[i];
87 }
88 /* Ensure null termination */
89 dest[100-1] = L'\0';
90 printWLine(dest);
91 }
92}
93
94/* goodG2B2() - use goodsource and badsink by reversing the blocks in the switch */
95static void goodG2B2()
96{
97 wchar_t * data;
98 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
99 wmemset(dataBuffer, L'A', 100-1);
100 dataBuffer[100-1] = L'\0';
101 switch(6)
102 {
103 case 6:
104 /* FIX: Set data pointer to the allocated memory buffer */
105 data = dataBuffer;
106 break;
107 default:
108 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
109 printLine("Benign, fixed string");
110 break;
111 }
112 {
113 size_t i;
114 wchar_t dest[100];
115 wmemset(dest, L'C', 100-1); /* fill with 'C's */
116 dest[100-1] = L'\0'; /* null terminate */
117 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
118 for (i = 0; i < 100; i++)
119 {
120 dest[i] = data[i];
121 }
122 /* Ensure null termination */
123 dest[100-1] = L'\0';
124 printWLine(dest);
125 }
126}
127
128void CWE127_Buffer_Underread__wchar_t_alloca_loop_15_good()
129{
130 goodG2B1();
131 goodG2B2();
132}
133
134#endif /* OMITGOOD */
135
136/* Below is the main(). It is only used when building this testcase on
137 * its own for testing or for building a binary to use in testing binary
138 * analysis tools. It is not used when compiling all the testcases as one
139 * application, which is how source code analysis tools are tested.
140 */
141
142#ifdef INCLUDEMAIN
143
144int main(int argc, char * argv[])
145{
146 /* seed randomness */
147 srand( (unsigned)time(NULL) );
148#ifndef OMITGOOD
149 printLine("Calling good()...");
150 CWE127_Buffer_Underread__wchar_t_alloca_loop_15_good();
151 printLine("Finished good()");
152#endif /* OMITGOOD */
153#ifndef OMITBAD
154 printLine("Calling bad()...");
155 CWE127_Buffer_Underread__wchar_t_alloca_loop_15_bad();
156 printLine("Finished bad()");
157#endif /* OMITBAD */
158 return 0;
159}
160
161#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6197: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_07.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_07.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.label.xml
4Template File: sources-sink-07.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: memmove
12 * BadSink : Copy twoIntsStruct array to data using memmove
13 * Flow Variant: 07 Control flow: if(staticFive==5) and if(staticFive!=5)
14 *
15 * */
16
17#include "std_testcase.h"
18
19/* The variable below is not declared "const", but is never assigned
20 * any other value so a tool should be able to identify that reads of
21 * this will always give its initialized value.
22 */
23static int staticFive = 5;
24
25#ifndef OMITBAD
26
27void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_07_bad()
28{
29 twoIntsStruct * data;
30 twoIntsStruct dataBadBuffer[50];
31 twoIntsStruct dataGoodBuffer[100];
32 if(staticFive==5)
33 {
34 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
35 * buffer in various memory copying functions using a "large" source buffer. */
36 data = dataBadBuffer;
37 }
38 {
39 twoIntsStruct source[100];
40 {
41 size_t i;
42 /* Initialize array */
43 for (i = 0; i < 100; i++)
44 {
45 source[i].intOne = 0;
46 source[i].intTwo = 0;
47 }
48 }
49 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
50 memmove(data, source, 100*sizeof(twoIntsStruct));❗VULN
51 printStructLine(&data[0]);
52 }
53}
54
55#endif /* OMITBAD */
56
57#ifndef OMITGOOD
58
59/* goodG2B1() - use goodsource and badsink by changing the staticFive==5 to staticFive!=5 */
60static void goodG2B1()
61{
62 twoIntsStruct * data;
63 twoIntsStruct dataBadBuffer[50];
64 twoIntsStruct dataGoodBuffer[100];
65 if(staticFive!=5)
66 {
67 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
68 printLine("Benign, fixed string");
69 }
70 else
71 {
72 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
73 data = dataGoodBuffer;
74 }
75 {
76 twoIntsStruct source[100];
77 {
78 size_t i;
79 /* Initialize array */
80 for (i = 0; i < 100; i++)
81 {
82 source[i].intOne = 0;
83 source[i].intTwo = 0;
84 }
85 }
86 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
87 memmove(data, source, 100*sizeof(twoIntsStruct));
88 printStructLine(&data[0]);
89 }
90}
91
92/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
93static void goodG2B2()
94{
95 twoIntsStruct * data;
96 twoIntsStruct dataBadBuffer[50];
97 twoIntsStruct dataGoodBuffer[100];
98 if(staticFive==5)
99 {
100 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
101 data = dataGoodBuffer;
102 }
103 {
104 twoIntsStruct source[100];
105 {
106 size_t i;
107 /* Initialize array */
108 for (i = 0; i < 100; i++)
109 {
110 source[i].intOne = 0;
111 source[i].intTwo = 0;
112 }
113 }
114 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
115 memmove(data, source, 100*sizeof(twoIntsStruct));
116 printStructLine(&data[0]);
117 }
118}
119
120void CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_07_good()
121{
122 goodG2B1();
123 goodG2B2();
124}
125
126#endif /* OMITGOOD */
127
128/* Below is the main(). It is only used when building this testcase on
129 * its own for testing or for building a binary to use in testing binary
130 * analysis tools. It is not used when compiling all the testcases as one
131 * application, which is how source code analysis tools are tested.
132 */
133
134#ifdef INCLUDEMAIN
135
136int main(int argc, char * argv[])
137{
138 /* seed randomness */
139 srand( (unsigned)time(NULL) );
140#ifndef OMITGOOD
141 printLine("Calling good()...");
142 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_07_good();
143 printLine("Finished good()");
144#endif /* OMITGOOD */
145#ifndef OMITBAD
146 printLine("Calling bad()...");
147 CWE121_Stack_Based_Buffer_Overflow__CWE805_struct_declare_memmove_07_bad();
148 printLine("Finished bad()");
149#endif /* OMITBAD */
150 return 0;
151}
152
153#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4134: CWE126_Buffer_Overread__CWE129_listen_socket_08.c

Nodes: 44 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE126_Buffer_Overread__CWE129_listen_socket_08.c
3Label Definition File: CWE126_Buffer_Overread__CWE129.label.xml
4Template File: sources-sinks-08.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 126 Buffer Overread
9 * BadSource: listen_socket Read data using a listen socket (server side)
10 * GoodSource: Larger than zero but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the upper bound
14 * Flow Variant: 08 Control flow: if(staticReturnsTrue()) and if(staticReturnsFalse())
15 *
16 * */
17
18#include "std_testcase.h"
19
20#ifdef _WIN32
21#include <winsock2.h>
22#include <windows.h>
23#include <direct.h>
24#pragma comment(lib, "ws2_32") /* include ws2_32.lib when linking */
25#define CLOSE_SOCKET closesocket
26#else
27#include <sys/types.h>
28#include <sys/socket.h>
29#include <netinet/in.h>
30#include <arpa/inet.h>
31#include <unistd.h>
32#define INVALID_SOCKET -1
33#define SOCKET_ERROR -1
34#define CLOSE_SOCKET close
35#define SOCKET int
36#endif
37
38#define TCP_PORT 27015
39#define LISTEN_BACKLOG 5
40#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)
41
42/* The two function below always return the same value, so a tool
43 should be able to identify that calls to the functions will always
44 return a fixed value. */
45static int staticReturnsTrue()
46{
47 return 1;
48}
49
50static int staticReturnsFalse()
51{
52 return 0;
53}
54
55#ifndef OMITBAD
56
57void CWE126_Buffer_Overread__CWE129_listen_socket_08_bad()
58{
59 int data;
60 /* Initialize data */
61 data = -1;
62 if(staticReturnsTrue())
63 {
64 {
65#ifdef _WIN32
66 WSADATA wsaData;
67 int wsaDataInit = 0;
68#endif
69 int recvResult;
70 struct sockaddr_in service;
71 SOCKET listenSocket = INVALID_SOCKET;
72 SOCKET acceptSocket = INVALID_SOCKET;
73 char inputBuffer[CHAR_ARRAY_SIZE];
74 do
75 {
76#ifdef _WIN32
77 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
78 {
79 break;
80 }
81 wsaDataInit = 1;
82#endif
83 /* POTENTIAL FLAW: Read data using a listen socket */
84 listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
85 if (listenSocket == INVALID_SOCKET)
86 {
87 break;
88 }
89 memset(&service, 0, sizeof(service));
90 service.sin_family = AF_INET;
91 service.sin_addr.s_addr = INADDR_ANY;
92 service.sin_port = htons(TCP_PORT);
93 if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
94 {
95 break;
96 }
97 if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR)
98 {
99 break;
100 }
101 acceptSocket = accept(listenSocket, NULL, NULL);
102 if (acceptSocket == SOCKET_ERROR)
103 {
104 break;
105 }
106 /* Abort on error or the connection was closed */
107 recvResult = recv(acceptSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
108 if (recvResult == SOCKET_ERROR || recvResult == 0)
109 {
110 break;
111 }
112 /* NUL-terminate the string */
113 inputBuffer[recvResult] = '\0';
114 /* Convert to int */
115 data = atoi(inputBuffer);
116 }
117 while (0);
118 if (listenSocket != INVALID_SOCKET)
119 {
120 CLOSE_SOCKET(listenSocket);
121 }
122 if (acceptSocket != INVALID_SOCKET)
123 {
124 CLOSE_SOCKET(acceptSocket);
125 }
126#ifdef _WIN32
127 if (wsaDataInit)
128 {
129 WSACleanup();
130 }
131#endif
132 }
133 }
134 if(staticReturnsTrue())
135 {
136 {
137 int buffer[10] = { 0 };
138 /* POTENTIAL FLAW: Attempt to access an index of the array that is above the upper bound
139 * This check does not check the upper bounds of the array index */
140 if (data >= 0)
141 {
142 printIntLine(buffer[data]);❗VULN
143 }
144 else
145 {
146 printLine("ERROR: Array index is negative");
147 }
148 }
149 }
150}
151
152#endif /* OMITBAD */
153
154#ifndef OMITGOOD
155
156/* goodB2G1() - use badsource and goodsink by changing the second staticReturnsTrue() to staticReturnsFalse() */
157static void goodB2G1()
158{
159 int data;
160 /* Initialize data */
161 data = -1;
162 if(staticReturnsTrue())
163 {
164 {
165#ifdef _WIN32
166 WSADATA wsaData;
167 int wsaDataInit = 0;
168#endif
169 int recvResult;
170 struct sockaddr_in service;
171 SOCKET listenSocket = INVALID_SOCKET;
172 SOCKET acceptSocket = INVALID_SOCKET;
173 char inputBuffer[CHAR_ARRAY_SIZE];
174 do
175 {
176#ifdef _WIN32
177 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
178 {
179 break;
180 }
181 wsaDataInit = 1;
182#endif
183 /* POTENTIAL FLAW: Read data using a listen socket */
184 listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
185 if (listenSocket == INVALID_SOCKET)
186 {
187 break;
188 }
189 memset(&service, 0, sizeof(service));
190 service.sin_family = AF_INET;
191 service.sin_addr.s_addr = INADDR_ANY;
192 service.sin_port = htons(TCP_PORT);
193 if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
194 {
195 break;
196 }
197 if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR)
198 {
199 break;
200 }
201 acceptSocket = accept(listenSocket, NULL, NULL);
202 if (acceptSocket == SOCKET_ERROR)
203 {
204 break;
205 }
206 /* Abort on error or the connection was closed */
207 recvResult = recv(acceptSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
208 if (recvResult == SOCKET_ERROR || recvResult == 0)
209 {
210 break;
211 }
212 /* NUL-terminate the string */
213 inputBuffer[recvResult] = '\0';
214 /* Convert to int */
215 data = atoi(inputBuffer);
216 }
217 while (0);
218 if (listenSocket != INVALID_SOCKET)
219 {
220 CLOSE_SOCKET(listenSocket);
221 }
222 if (acceptSocket != INVALID_SOCKET)
223 {
224 CLOSE_SOCKET(acceptSocket);
225 }
226#ifdef _WIN32
227 if (wsaDataInit)
228 {
229 WSACleanup();
230 }
231#endif
232 }
233 }
234 if(staticReturnsFalse())
235 {
236 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
237 printLine("Benign, fixed string");
238 }
239 else
240 {
241 {
242 int buffer[10] = { 0 };
243 /* FIX: Properly validate the array index and prevent a buffer overread */
244 if (data >= 0 && data < (10))
245 {
246 printIntLine(buffer[data]);
247 }
248 else
249 {
250 printLine("ERROR: Array index is out-of-bounds");
251 }
252 }
253 }
254}
255
256/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */
257static void goodB2G2()
258{
259 int data;
260 /* Initialize data */
261 data = -1;
262 if(staticReturnsTrue())
263 {
264 {
265#ifdef _WIN32
266 WSADATA wsaData;
267 int wsaDataInit = 0;
268#endif
269 int recvResult;
270 struct sockaddr_in service;
271 SOCKET listenSocket = INVALID_SOCKET;
272 SOCKET acceptSocket = INVALID_SOCKET;
273 char inputBuffer[CHAR_ARRAY_SIZE];
274 do
275 {
276#ifdef _WIN32
277 if (WSAStartup(MAKEWORD(2,2), &wsaData) != NO_ERROR)
278 {
279 break;
280 }
281 wsaDataInit = 1;
282#endif
283 /* POTENTIAL FLAW: Read data using a listen socket */
284 listenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
285 if (listenSocket == INVALID_SOCKET)
286 {
287 break;
288 }
289 memset(&service, 0, sizeof(service));
290 service.sin_family = AF_INET;
291 service.sin_addr.s_addr = INADDR_ANY;
292 service.sin_port = htons(TCP_PORT);
293 if (bind(listenSocket, (struct sockaddr*)&service, sizeof(service)) == SOCKET_ERROR)
294 {
295 break;
296 }
297 if (listen(listenSocket, LISTEN_BACKLOG) == SOCKET_ERROR)
298 {
299 break;
300 }
301 acceptSocket = accept(listenSocket, NULL, NULL);
302 if (acceptSocket == SOCKET_ERROR)
303 {
304 break;
305 }
306 /* Abort on error or the connection was closed */
307 recvResult = recv(acceptSocket, inputBuffer, CHAR_ARRAY_SIZE - 1, 0);
308 if (recvResult == SOCKET_ERROR || recvResult == 0)
309 {
310 break;
311 }
312 /* NUL-terminate the string */
313 inputBuffer[recvResult] = '\0';
314 /* Convert to int */
315 data = atoi(inputBuffer);
316 }
317 while (0);
318 if (listenSocket != INVALID_SOCKET)
319 {
320 CLOSE_SOCKET(listenSocket);
321 }
322 if (acceptSocket != INVALID_SOCKET)
323 {
324 CLOSE_SOCKET(acceptSocket);
325 }
326#ifdef _WIN32
327 if (wsaDataInit)
328 {
329 WSACleanup();
330 }
331#endif
332 }
333 }
334 if(staticReturnsTrue())
335 {
336 {
337 int buffer[10] = { 0 };
338 /* FIX: Properly validate the array index and prevent a buffer overread */
339 if (data >= 0 && data < (10))
340 {
341 printIntLine(buffer[data]);
342 }
343 else
344 {
345 printLine("ERROR: Array index is out-of-bounds");
346 }
347 }
348 }
349}
350
351/* goodG2B1() - use goodsource and badsink by changing the first staticReturnsTrue() to staticReturnsFalse() */
352static void goodG2B1()
353{
354 int data;
355 /* Initialize data */
356 data = -1;
357 if(staticReturnsFalse())
358 {
359 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
360 printLine("Benign, fixed string");
361 }
362 else
363 {
364 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
365 * access an index of the array in the sink that is out-of-bounds */
366 data = 7;
367 }
368 if(staticReturnsTrue())
369 {
370 {
371 int buffer[10] = { 0 };
372 /* POTENTIAL FLAW: Attempt to access an index of the array that is above the upper bound
373 * This check does not check the upper bounds of the array index */
374 if (data >= 0)
375 {
376 printIntLine(buffer[data]);
377 }
378 else
379 {
380 printLine("ERROR: Array index is negative");
381 }
382 }
383 }
384}
385
386/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */
387static void goodG2B2()
388{
389 int data;
390 /* Initialize data */
391 data = -1;
392 if(staticReturnsTrue())
393 {
394 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
395 * access an index of the array in the sink that is out-of-bounds */
396 data = 7;
397 }
398 if(staticReturnsTrue())
399 {
400 {
401 int buffer[10] = { 0 };
402 /* POTENTIAL FLAW: Attempt to access an index of the array that is above the upper bound
403 * This check does not check the upper bounds of the array index */
404 if (data >= 0)
405 {
406 printIntLine(buffer[data]);
407 }
408 else
409 {
410 printLine("ERROR: Array index is negative");
411 }
412 }
413 }
414}
415
416void CWE126_Buffer_Overread__CWE129_listen_socket_08_good()
417{
418 goodB2G1();
419 goodB2G2();
420 goodG2B1();
421 goodG2B2();
422}
423
424#endif /* OMITGOOD */
425
426/* Below is the main(). It is only used when building this testcase on
427 its own for testing or for building a binary to use in testing binary
428 analysis tools. It is not used when compiling all the testcases as one
429 application, which is how source code analysis tools are tested. */
430
431#ifdef INCLUDEMAIN
432
433int main(int argc, char * argv[])
434{
435 /* seed randomness */
436 srand( (unsigned)time(NULL) );
437#ifndef OMITGOOD
438 printLine("Calling good()...");
439 CWE126_Buffer_Overread__CWE129_listen_socket_08_good();
440 printLine("Finished good()");
441#endif /* OMITGOOD */
442#ifndef OMITBAD
443 printLine("Calling bad()...");
444 CWE126_Buffer_Overread__CWE129_listen_socket_08_bad();
445 printLine("Finished bad()");
446#endif /* OMITBAD */
447 return 0;
448}
449
450#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2257: CWE124_Buffer_Underwrite__wchar_t_declare_memcpy_04.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__wchar_t_declare_memcpy_04.c
3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml
4Template File: sources-sink-04.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memcpy
12 * BadSink : Copy string to data using memcpy
13 * Flow Variant: 04 Control flow: if(STATIC_CONST_TRUE) and if(STATIC_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are declared "const", so a tool should
22 * be able to identify that reads of these will always return their
23 * initialized values.
24 */
25static const int STATIC_CONST_TRUE = 1; /* true */
26static const int STATIC_CONST_FALSE = 0; /* false */
27
28#ifndef OMITBAD
29
30void CWE124_Buffer_Underwrite__wchar_t_declare_memcpy_04_bad()
31{
32 wchar_t * data;
33 wchar_t dataBuffer[100];
34 wmemset(dataBuffer, L'A', 100-1);
35 dataBuffer[100-1] = L'\0';
36 if(STATIC_CONST_TRUE)
37 {
38 /* FLAW: Set data pointer to before the allocated memory buffer */
39 data = dataBuffer - 8;
40 }
41 {
42 wchar_t source[100];
43 wmemset(source, L'C', 100-1); /* fill with 'C's */
44 source[100-1] = L'\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
46 memcpy(data, source, 100*sizeof(wchar_t));❗VULN
47 /* Ensure the destination buffer is null terminated */
48 data[100-1] = L'\0';
49 printWLine(data);
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B1() - use goodsource and badsink by changing the STATIC_CONST_TRUE to STATIC_CONST_FALSE */
58static void goodG2B1()
59{
60 wchar_t * data;
61 wchar_t dataBuffer[100];
62 wmemset(dataBuffer, L'A', 100-1);
63 dataBuffer[100-1] = L'\0';
64 if(STATIC_CONST_FALSE)
65 {
66 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
67 printLine("Benign, fixed string");
68 }
69 else
70 {
71 /* FIX: Set data pointer to the allocated memory buffer */
72 data = dataBuffer;
73 }
74 {
75 wchar_t source[100];
76 wmemset(source, L'C', 100-1); /* fill with 'C's */
77 source[100-1] = L'\0'; /* null terminate */
78 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
79 memcpy(data, source, 100*sizeof(wchar_t));
80 /* Ensure the destination buffer is null terminated */
81 data[100-1] = L'\0';
82 printWLine(data);
83 }
84}
85
86/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
87static void goodG2B2()
88{
89 wchar_t * data;
90 wchar_t dataBuffer[100];
91 wmemset(dataBuffer, L'A', 100-1);
92 dataBuffer[100-1] = L'\0';
93 if(STATIC_CONST_TRUE)
94 {
95 /* FIX: Set data pointer to the allocated memory buffer */
96 data = dataBuffer;
97 }
98 {
99 wchar_t source[100];
100 wmemset(source, L'C', 100-1); /* fill with 'C's */
101 source[100-1] = L'\0'; /* null terminate */
102 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
103 memcpy(data, source, 100*sizeof(wchar_t));
104 /* Ensure the destination buffer is null terminated */
105 data[100-1] = L'\0';
106 printWLine(data);
107 }
108}
109
110void CWE124_Buffer_Underwrite__wchar_t_declare_memcpy_04_good()
111{
112 goodG2B1();
113 goodG2B2();
114}
115
116#endif /* OMITGOOD */
117
118/* Below is the main(). It is only used when building this testcase on
119 * its own for testing or for building a binary to use in testing binary
120 * analysis tools. It is not used when compiling all the testcases as one
121 * application, which is how source code analysis tools are tested.
122 */
123
124#ifdef INCLUDEMAIN
125
126int main(int argc, char * argv[])
127{
128 /* seed randomness */
129 srand( (unsigned)time(NULL) );
130#ifndef OMITGOOD
131 printLine("Calling good()...");
132 CWE124_Buffer_Underwrite__wchar_t_declare_memcpy_04_good();
133 printLine("Finished good()");
134#endif /* OMITGOOD */
135#ifndef OMITBAD
136 printLine("Calling bad()...");
137 CWE124_Buffer_Underwrite__wchar_t_declare_memcpy_04_bad();
138 printLine("Finished bad()");
139#endif /* OMITBAD */
140 return 0;
141}
142
143#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4075: CWE127_Buffer_Underread__malloc_char_cpy_18.c

Nodes: 15 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE127_Buffer_Underread__malloc_char_cpy_18.c
3Label Definition File: CWE127_Buffer_Underread__malloc.label.xml
4Template File: sources-sink-18.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 127 Buffer Under-read
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: cpy
12 * BadSink : Copy data to string using strcpy
13 * Flow Variant: 18 Control flow: goto statements
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE127_Buffer_Underread__malloc_char_cpy_18_bad()
24{
25 char * data;
26 data = NULL;
27 goto source;
28source:
29 {
30 char * dataBuffer = (char *)malloc(100*sizeof(char));
31 if (dataBuffer == NULL) {exit(-1);}
32 memset(dataBuffer, 'A', 100-1);
33 dataBuffer[100-1] = '\0';
34 /* FLAW: Set data pointer to before the allocated memory buffer */
35 data = dataBuffer - 8;
36 }
37 {
38 char dest[100*2];
39 memset(dest, 'C', 100*2-1); /* fill with 'C's */
40 dest[100*2-1] = '\0'; /* null terminate */
41 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
42 strcpy(dest, data);❗VULN
43 printLine(dest);
44 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
45 * returned by malloc() so can't safely call free() on it */
46 }
47}
48
49#endif /* OMITBAD */
50
51#ifndef OMITGOOD
52
53/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
54static void goodG2B()
55{
56 char * data;
57 data = NULL;
58 goto source;
59source:
60 {
61 char * dataBuffer = (char *)malloc(100*sizeof(char));
62 if (dataBuffer == NULL) {exit(-1);}
63 memset(dataBuffer, 'A', 100-1);
64 dataBuffer[100-1] = '\0';
65 /* FIX: Set data pointer to the allocated memory buffer */
66 data = dataBuffer;
67 }
68 {
69 char dest[100*2];
70 memset(dest, 'C', 100*2-1); /* fill with 'C's */
71 dest[100*2-1] = '\0'; /* null terminate */
72 /* POTENTIAL FLAW: Possibly copy from a memory location located before the source buffer */
73 strcpy(dest, data);
74 printLine(dest);
75 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
76 * returned by malloc() so can't safely call free() on it */
77 }
78}
79
80void CWE127_Buffer_Underread__malloc_char_cpy_18_good()
81{
82 goodG2B();
83}
84
85#endif /* OMITGOOD */
86
87/* Below is the main(). It is only used when building this testcase on
88 * its own for testing or for building a binary to use in testing binary
89 * analysis tools. It is not used when compiling all the testcases as one
90 * application, which is how source code analysis tools are tested.
91 */
92
93#ifdef INCLUDEMAIN
94
95int main(int argc, char * argv[])
96{
97 /* seed randomness */
98 srand( (unsigned)time(NULL) );
99#ifndef OMITGOOD
100 printLine("Calling good()...");
101 CWE127_Buffer_Underread__malloc_char_cpy_18_good();
102 printLine("Finished good()");
103#endif /* OMITGOOD */
104#ifndef OMITBAD
105 printLine("Calling bad()...");
106 CWE127_Buffer_Underread__malloc_char_cpy_18_bad();
107 printLine("Finished bad()");
108#endif /* OMITBAD */
109 return 0;
110}
111
112#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9126: CWE124_Buffer_Underwrite__new_char_loop_09.cpp

Nodes: 17 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__new_char_loop_09.cpp
3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml
4Template File: sources-sink-09.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: loop
12 * BadSink : Copy string to data using a loop
13 * Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE124_Buffer_Underwrite__new_char_loop_09
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 char * data;
29 data = NULL;
30 if(GLOBAL_CONST_TRUE)
31 {
32 {
33 char * dataBuffer = new char[100];
34 memset(dataBuffer, 'A', 100-1);
35 dataBuffer[100-1] = '\0';
36 /* FLAW: Set data pointer to before the allocated memory buffer */
37 data = dataBuffer - 8;
38 }
39 }
40 {
41 size_t i;
42 char source[100];
43 memset(source, 'C', 100-1); /* fill with 'C's */
44 source[100-1] = '\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
46 for (i = 0; i < 100; i++)
47 {
48 data[i] = source[i];❗VULN
49 }
50 /* Ensure the destination buffer is null terminated */
51 data[100-1] = '\0';
52 printLine(data);
53 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
54 * returned by new [] so can't safely call delete [] on it */
55 }
56}
57
58#endif /* OMITBAD */
59
60#ifndef OMITGOOD
61
62/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */
63static void goodG2B1()
64{
65 char * data;
66 data = NULL;
67 if(GLOBAL_CONST_FALSE)
68 {
69 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
70 printLine("Benign, fixed string");
71 }
72 else
73 {
74 {
75 char * dataBuffer = new char[100];
76 memset(dataBuffer, 'A', 100-1);
77 dataBuffer[100-1] = '\0';
78 /* FIX: Set data pointer to the allocated memory buffer */
79 data = dataBuffer;
80 }
81 }
82 {
83 size_t i;
84 char source[100];
85 memset(source, 'C', 100-1); /* fill with 'C's */
86 source[100-1] = '\0'; /* null terminate */
87 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
88 for (i = 0; i < 100; i++)
89 {
90 data[i] = source[i];
91 }
92 /* Ensure the destination buffer is null terminated */
93 data[100-1] = '\0';
94 printLine(data);
95 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
96 * returned by new [] so can't safely call delete [] on it */
97 }
98}
99
100/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
101static void goodG2B2()
102{
103 char * data;
104 data = NULL;
105 if(GLOBAL_CONST_TRUE)
106 {
107 {
108 char * dataBuffer = new char[100];
109 memset(dataBuffer, 'A', 100-1);
110 dataBuffer[100-1] = '\0';
111 /* FIX: Set data pointer to the allocated memory buffer */
112 data = dataBuffer;
113 }
114 }
115 {
116 size_t i;
117 char source[100];
118 memset(source, 'C', 100-1); /* fill with 'C's */
119 source[100-1] = '\0'; /* null terminate */
120 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
121 for (i = 0; i < 100; i++)
122 {
123 data[i] = source[i];
124 }
125 /* Ensure the destination buffer is null terminated */
126 data[100-1] = '\0';
127 printLine(data);
128 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
129 * returned by new [] so can't safely call delete [] on it */
130 }
131}
132
133void good()
134{
135 goodG2B1();
136 goodG2B2();
137}
138
139#endif /* OMITGOOD */
140
141} /* close namespace */
142
143/* Below is the main(). It is only used when building this testcase on
144 its own for testing or for building a binary to use in testing binary
145 analysis tools. It is not used when compiling all the testcases as one
146 application, which is how source code analysis tools are tested. */
147
148#ifdef INCLUDEMAIN
149
150using namespace CWE124_Buffer_Underwrite__new_char_loop_09; /* so that we can use good and bad easily */
151
152int main(int argc, char * argv[])
153{
154 /* seed randomness */
155 srand( (unsigned)time(NULL) );
156#ifndef OMITGOOD
157 printLine("Calling good()...");
158 good();
159 printLine("Finished good()");
160#endif /* OMITGOOD */
161#ifndef OMITBAD
162 printLine("Calling bad()...");
163 bad();
164 printLine("Finished bad()");
165#endif /* OMITBAD */
166 return 0;
167}
168
169#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9388: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE805.string.label.xml
4Template File: sources-sink-45.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sinks: loop
12 * BadSink : Copy string to data using a loop
13 * Flow Variant: 45 Data flow: data passed as a static global variable from one function to another in the same source file
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21static wchar_t * CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_badData;
22static wchar_t * CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_goodG2BData;
23
24#ifndef OMITBAD
25
26static void badSink()
27{
28 wchar_t * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_badData;
29 {
30 size_t i;
31 wchar_t source[100];
32 wmemset(source, L'C', 100-1); /* fill with L'C's */
33 source[100-1] = L'\0'; /* null terminate */
34 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
35 for (i = 0; i < 100; i++)
36 {
37 data[i] = source[i];❗VULN
38 }
39 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
40 printWLine(data);
41 }
42}
43
44void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_bad()
45{
46 wchar_t * data;
47 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
48 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
49 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
50 * buffer in various memory copying functions using a "large" source buffer. */
51 data = dataBadBuffer;
52 data[0] = L'\0'; /* null terminate */
53 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_badData = data;
54 badSink();
55}
56
57#endif /* OMITBAD */
58
59#ifndef OMITGOOD
60
61/* goodG2B() uses the GoodSource with the BadSink */
62static void goodG2BSink()
63{
64 wchar_t * data = CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_goodG2BData;
65 {
66 size_t i;
67 wchar_t source[100];
68 wmemset(source, L'C', 100-1); /* fill with L'C's */
69 source[100-1] = L'\0'; /* null terminate */
70 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
71 for (i = 0; i < 100; i++)
72 {
73 data[i] = source[i];
74 }
75 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
76 printWLine(data);
77 }
78}
79
80static void goodG2B()
81{
82 wchar_t * data;
83 wchar_t * dataBadBuffer = (wchar_t *)ALLOCA(50*sizeof(wchar_t));
84 wchar_t * dataGoodBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
85 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
86 data = dataGoodBuffer;
87 data[0] = L'\0'; /* null terminate */
88 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_goodG2BData = data;
89 goodG2BSink();
90}
91
92void CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_good()
93{
94 goodG2B();
95}
96
97#endif /* OMITGOOD */
98
99/* Below is the main(). It is only used when building this testcase on
100 * its own for testing or for building a binary to use in testing binary
101 * analysis tools. It is not used when compiling all the testcases as one
102 * application, which is how source code analysis tools are tested.
103 */
104#ifdef INCLUDEMAIN
105
106int main(int argc, char * argv[])
107{
108 /* seed randomness */
109 srand( (unsigned)time(NULL) );
110#ifndef OMITGOOD
111 printLine("Calling good()...");
112 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_good();
113 printLine("Finished good()");
114#endif /* OMITGOOD */
115#ifndef OMITBAD
116 printLine("Calling bad()...");
117 CWE121_Stack_Based_Buffer_Overflow__CWE805_wchar_t_alloca_loop_45_bad();
118 printLine("Finished bad()");
119#endif /* OMITBAD */
120 return 0;
121}
122
123#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6467: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncat_17.cpp

Nodes: 13 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncat_17.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806.label.xml
4Template File: sources-sink-17.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: ncat
12 * BadSink : Copy data to string using strncat
13 * Flow Variant: 17 Control flow: for loops
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncat_17
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 int i;
29 char * data;
30 data = new char[100];
31 for(i = 0; i < 1; i++)
32 {
33 /* FLAW: Initialize data as a large buffer that is larger than the small buffer used in the sink */
34 memset(data, 'A', 100-1); /* fill with 'A's */
35 data[100-1] = '\0'; /* null terminate */
36 }
37 {
38 char dest[50] = "";
39 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/
40 strncat(dest, data, strlen(data));❗VULN
41 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
42 printLine(data);
43 delete [] data;
44 }
45}
46
47#endif /* OMITBAD */
48
49#ifndef OMITGOOD
50
51/* goodG2B() - use goodsource in the for statement */
52static void goodG2B()
53{
54 int h;
55 char * data;
56 data = new char[100];
57 for(h = 0; h < 1; h++)
58 {
59 /* FIX: Initialize data as a small buffer that as small or smaller than the small buffer used in the sink */
60 memset(data, 'A', 50-1); /* fill with 'A's */
61 data[50-1] = '\0'; /* null terminate */
62 }
63 {
64 char dest[50] = "";
65 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than sizeof(dest)-strlen(dest)*/
66 strncat(dest, data, strlen(data));
67 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
68 printLine(data);
69 delete [] data;
70 }
71}
72
73void good()
74{
75 goodG2B();
76}
77
78#endif /* OMITGOOD */
79
80} /* close namespace */
81
82/* Below is the main(). It is only used when building this testcase on
83 its own for testing or for building a binary to use in testing binary
84 analysis tools. It is not used when compiling all the testcases as one
85 application, which is how source code analysis tools are tested. */
86
87#ifdef INCLUDEMAIN
88
89using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE806_char_ncat_17; /* so that we can use good and bad easily */
90
91int main(int argc, char * argv[])
92{
93 /* seed randomness */
94 srand( (unsigned)time(NULL) );
95#ifndef OMITGOOD
96 printLine("Calling good()...");
97 good();
98 printLine("Finished good()");
99#endif /* OMITGOOD */
100#ifndef OMITBAD
101 printLine("Calling bad()...");
102 bad();
103 printLine("Finished bad()");
104#endif /* OMITBAD */
105 return 0;
106}
107
108#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 6189: CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__dest.label.xml
4Template File: sources-sink-17.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Set data pointer to the bad buffer
10 * GoodSource: Set data pointer to the good buffer
11 * Sink: cpy
12 * BadSink : Copy string to data using strcpy
13 * Flow Variant: 17 Control flow: for loops
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17_bad()
24{
25 int i;
26 char * data;
27 char dataBadBuffer[50];
28 char dataGoodBuffer[100];
29 for(i = 0; i < 1; i++)
30 {
31 /* FLAW: Set a pointer to a "small" buffer. This buffer will be used in the sinks as a destination
32 * buffer in various memory copying functions using a "large" source buffer. */
33 data = dataBadBuffer;
34 data[0] = '\0'; /* null terminate */
35 }
36 {
37 char source[100];
38 memset(source, 'C', 100-1); /* fill with 'C's */
39 source[100-1] = '\0'; /* null terminate */
40 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
41 strcpy(data, source);❗VULN
42 printLine(data);
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50/* goodG2B() - use goodsource and badsink by changing the conditions on the for statements */
51static void goodG2B()
52{
53 int h;
54 char * data;
55 char dataBadBuffer[50];
56 char dataGoodBuffer[100];
57 for(h = 0; h < 1; h++)
58 {
59 /* FIX: Set a pointer to a "large" buffer, thus avoiding buffer overflows in the sinks. */
60 data = dataGoodBuffer;
61 data[0] = '\0'; /* null terminate */
62 }
63 {
64 char source[100];
65 memset(source, 'C', 100-1); /* fill with 'C's */
66 source[100-1] = '\0'; /* null terminate */
67 /* POTENTIAL FLAW: Possible buffer overflow if the size of data is less than the length of source */
68 strcpy(data, source);
69 printLine(data);
70 }
71}
72
73void CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17_good()
74{
75 goodG2B();
76}
77
78#endif /* OMITGOOD */
79
80/* Below is the main(). It is only used when building this testcase on
81 * its own for testing or for building a binary to use in testing binary
82 * analysis tools. It is not used when compiling all the testcases as one
83 * application, which is how source code analysis tools are tested.
84 */
85
86#ifdef INCLUDEMAIN
87
88int main(int argc, char * argv[])
89{
90 /* seed randomness */
91 srand( (unsigned)time(NULL) );
92#ifndef OMITGOOD
93 printLine("Calling good()...");
94 CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17_good();
95 printLine("Finished good()");
96#endif /* OMITGOOD */
97#ifndef OMITBAD
98 printLine("Calling bad()...");
99 CWE121_Stack_Based_Buffer_Overflow__dest_char_declare_cpy_17_bad();
100 printLine("Finished bad()");
101#endif /* OMITBAD */
102 return 0;
103}
104
105#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9465: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22a.c

Nodes: 9 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22a.c
3Label Definition File: CWE121_Stack_Based_Buffer_Overflow__CWE806.label.xml
4Template File: sources-sink-22a.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 121 Stack Based Buffer Overflow
9 * BadSource: Initialize data as a large string
10 * GoodSource: Initialize data as a small string
11 * Sink: ncpy
12 * BadSink : Copy data to string using strncpy
13 * Flow Variant: 22 Control flow: Flow controlled by value of a global variable. Sink functions are in a separate file from sources.
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23/* The global variable below is used to drive control flow in the source function */
24int CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_badGlobal = 0;
25
26char * CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_badSource(char * data);
27
28void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_bad()
29{
30 char * data;
31 char dataBuffer[100];
32 data = dataBuffer;
33 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_badGlobal = 1; /* true */
34 data = CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_badSource(data);
35 {
36 char dest[50] = "";
37 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
38 strncpy(dest, data, strlen(data));❗VULN
39 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
40 printLine(data);
41 }
42}
43
44#endif /* OMITBAD */
45
46#ifndef OMITGOOD
47
48/* The global variables below are used to drive control flow in the source functions. */
49int CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_goodG2B1Global = 0;
50int CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_goodG2B2Global = 0;
51
52/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */
53char * CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_goodG2B1Source(char * data);
54
55static void goodG2B1()
56{
57 char * data;
58 char dataBuffer[100];
59 data = dataBuffer;
60 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_goodG2B1Global = 0; /* false */
61 data = CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_goodG2B1Source(data);
62 {
63 char dest[50] = "";
64 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
65 strncpy(dest, data, strlen(data));
66 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
67 printLine(data);
68 }
69}
70
71/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if in the source function */
72char * CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_goodG2B2Source(char * data);
73
74static void goodG2B2()
75{
76 char * data;
77 char dataBuffer[100];
78 data = dataBuffer;
79 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_goodG2B2Global = 1; /* true */
80 data = CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_goodG2B2Source(data);
81 {
82 char dest[50] = "";
83 /* POTENTIAL FLAW: Possible buffer overflow if data is larger than dest */
84 strncpy(dest, data, strlen(data));
85 dest[50-1] = '\0'; /* Ensure the destination buffer is null terminated */
86 printLine(data);
87 }
88}
89
90void CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_good()
91{
92 goodG2B1();
93 goodG2B2();
94}
95
96#endif /* OMITGOOD */
97
98/* Below is the main(). It is only used when building this testcase on
99 * its own for testing or for building a binary to use in testing binary
100 * analysis tools. It is not used when compiling all the testcases as one
101 * application, which is how source code analysis tools are tested.
102 */
103
104#ifdef INCLUDEMAIN
105
106int main(int argc, char * argv[])
107{
108 /* seed randomness */
109 srand( (unsigned)time(NULL) );
110#ifndef OMITGOOD
111 printLine("Calling good()...");
112 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_good();
113 printLine("Finished good()");
114#endif /* OMITGOOD */
115#ifndef OMITBAD
116 printLine("Calling bad()...");
117 CWE121_Stack_Based_Buffer_Overflow__CWE806_char_declare_ncpy_22_bad();
118 printLine("Finished bad()");
119#endif /* OMITBAD */
120 return 0;
121}
122
123#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 1684: CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_09.c

Nodes: 12 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_09.c
3Label Definition File: CWE124_Buffer_Underwrite.stack.label.xml
4Template File: sources-sink-09.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: memcpy
12 * BadSink : Copy string to data using memcpy
13 * Flow Variant: 09 Control flow: if(GLOBAL_CONST_TRUE) and if(GLOBAL_CONST_FALSE)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21#ifndef OMITBAD
22
23void CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_09_bad()
24{
25 wchar_t * data;
26 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
27 wmemset(dataBuffer, L'A', 100-1);
28 dataBuffer[100-1] = L'\0';
29 if(GLOBAL_CONST_TRUE)
30 {
31 /* FLAW: Set data pointer to before the allocated memory buffer */
32 data = dataBuffer - 8;
33 }
34 {
35 wchar_t source[100];
36 wmemset(source, L'C', 100-1); /* fill with 'C's */
37 source[100-1] = L'\0'; /* null terminate */
38 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
39 memcpy(data, source, 100*sizeof(wchar_t));❗VULN
40 /* Ensure the destination buffer is null terminated */
41 data[100-1] = L'\0';
42 printWLine(data);
43 }
44}
45
46#endif /* OMITBAD */
47
48#ifndef OMITGOOD
49
50/* goodG2B1() - use goodsource and badsink by changing the GLOBAL_CONST_TRUE to GLOBAL_CONST_FALSE */
51static void goodG2B1()
52{
53 wchar_t * data;
54 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
55 wmemset(dataBuffer, L'A', 100-1);
56 dataBuffer[100-1] = L'\0';
57 if(GLOBAL_CONST_FALSE)
58 {
59 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
60 printLine("Benign, fixed string");
61 }
62 else
63 {
64 /* FIX: Set data pointer to the allocated memory buffer */
65 data = dataBuffer;
66 }
67 {
68 wchar_t source[100];
69 wmemset(source, L'C', 100-1); /* fill with 'C's */
70 source[100-1] = L'\0'; /* null terminate */
71 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
72 memcpy(data, source, 100*sizeof(wchar_t));
73 /* Ensure the destination buffer is null terminated */
74 data[100-1] = L'\0';
75 printWLine(data);
76 }
77}
78
79/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
80static void goodG2B2()
81{
82 wchar_t * data;
83 wchar_t * dataBuffer = (wchar_t *)ALLOCA(100*sizeof(wchar_t));
84 wmemset(dataBuffer, L'A', 100-1);
85 dataBuffer[100-1] = L'\0';
86 if(GLOBAL_CONST_TRUE)
87 {
88 /* FIX: Set data pointer to the allocated memory buffer */
89 data = dataBuffer;
90 }
91 {
92 wchar_t source[100];
93 wmemset(source, L'C', 100-1); /* fill with 'C's */
94 source[100-1] = L'\0'; /* null terminate */
95 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
96 memcpy(data, source, 100*sizeof(wchar_t));
97 /* Ensure the destination buffer is null terminated */
98 data[100-1] = L'\0';
99 printWLine(data);
100 }
101}
102
103void CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_09_good()
104{
105 goodG2B1();
106 goodG2B2();
107}
108
109#endif /* OMITGOOD */
110
111/* Below is the main(). It is only used when building this testcase on
112 * its own for testing or for building a binary to use in testing binary
113 * analysis tools. It is not used when compiling all the testcases as one
114 * application, which is how source code analysis tools are tested.
115 */
116
117#ifdef INCLUDEMAIN
118
119int main(int argc, char * argv[])
120{
121 /* seed randomness */
122 srand( (unsigned)time(NULL) );
123#ifndef OMITGOOD
124 printLine("Calling good()...");
125 CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_09_good();
126 printLine("Finished good()");
127#endif /* OMITGOOD */
128#ifndef OMITBAD
129 printLine("Calling bad()...");
130 CWE124_Buffer_Underwrite__wchar_t_alloca_memcpy_09_bad();
131 printLine("Finished bad()");
132#endif /* OMITBAD */
133 return 0;
134}
135
136#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2386: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129_fgets_06.cpp

Nodes: 22 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129_fgets_06.cpp
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129.label.xml
4Template File: sources-sinks-06.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: fgets Read data from the console using fgets()
10 * GoodSource: Larger than zero but less than 10
11 * Sinks:
12 * GoodSink: Ensure the array index is valid
13 * BadSink : Improperly check the array index by not checking the upper bound
14 * Flow Variant: 06 Control flow: if(STATIC_CONST_FIVE==5) and if(STATIC_CONST_FIVE!=5)
15 *
16 * */
17
18#include "std_testcase.h"
19
20#define CHAR_ARRAY_SIZE (3 * sizeof(data) + 2)
21
22/* The variable below is declared "const", so a tool should be able
23 to identify that reads of this will always give its initialized
24 value. */
25static const int STATIC_CONST_FIVE = 5;
26
27namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129_fgets_06
28{
29
30#ifndef OMITBAD
31
32void bad()
33{
34 int data;
35 /* Initialize data */
36 data = -1;
37 if(STATIC_CONST_FIVE==5)
38 {
39 {
40 char inputBuffer[CHAR_ARRAY_SIZE] = "";
41 /* POTENTIAL FLAW: Read data from the console using fgets() */
42 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)
43 {
44 /* Convert to int */
45 data = atoi(inputBuffer);
46 }
47 else
48 {
49 printLine("fgets() failed.");
50 }
51 }
52 }
53 if(STATIC_CONST_FIVE==5)
54 {
55 {
56 int i;
57 int * buffer = new int[10];
58 /* initialize buffer */
59 for (i = 0; i < 10; i++)
60 {
61 buffer[i] = 0;
62 }
63 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
64 * This code does check to see if the array index is negative */
65 if (data >= 0)
66 {
67 buffer[data] = 1;❗VULN
68 /* Print the array values */
69 for(i = 0; i < 10; i++)
70 {
71 printIntLine(buffer[i]);
72 }
73 }
74 else
75 {
76 printLine("ERROR: Array index is negative.");
77 }
78 delete[] buffer;
79 }
80 }
81}
82
83#endif /* OMITBAD */
84
85#ifndef OMITGOOD
86
87/* goodB2G1() - use badsource and goodsink by changing the second STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */
88static void goodB2G1()
89{
90 int data;
91 /* Initialize data */
92 data = -1;
93 if(STATIC_CONST_FIVE==5)
94 {
95 {
96 char inputBuffer[CHAR_ARRAY_SIZE] = "";
97 /* POTENTIAL FLAW: Read data from the console using fgets() */
98 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)
99 {
100 /* Convert to int */
101 data = atoi(inputBuffer);
102 }
103 else
104 {
105 printLine("fgets() failed.");
106 }
107 }
108 }
109 if(STATIC_CONST_FIVE!=5)
110 {
111 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
112 printLine("Benign, fixed string");
113 }
114 else
115 {
116 {
117 int i;
118 int * buffer = new int[10];
119 /* initialize buffer */
120 for (i = 0; i < 10; i++)
121 {
122 buffer[i] = 0;
123 }
124 /* FIX: Properly validate the array index and prevent a buffer overflow */
125 if (data >= 0 && data < (10))
126 {
127 buffer[data] = 1;
128 /* Print the array values */
129 for(i = 0; i < 10; i++)
130 {
131 printIntLine(buffer[i]);
132 }
133 }
134 else
135 {
136 printLine("ERROR: Array index is out-of-bounds");
137 }
138 delete[] buffer;
139 }
140 }
141}
142
143/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second if */
144static void goodB2G2()
145{
146 int data;
147 /* Initialize data */
148 data = -1;
149 if(STATIC_CONST_FIVE==5)
150 {
151 {
152 char inputBuffer[CHAR_ARRAY_SIZE] = "";
153 /* POTENTIAL FLAW: Read data from the console using fgets() */
154 if (fgets(inputBuffer, CHAR_ARRAY_SIZE, stdin) != NULL)
155 {
156 /* Convert to int */
157 data = atoi(inputBuffer);
158 }
159 else
160 {
161 printLine("fgets() failed.");
162 }
163 }
164 }
165 if(STATIC_CONST_FIVE==5)
166 {
167 {
168 int i;
169 int * buffer = new int[10];
170 /* initialize buffer */
171 for (i = 0; i < 10; i++)
172 {
173 buffer[i] = 0;
174 }
175 /* FIX: Properly validate the array index and prevent a buffer overflow */
176 if (data >= 0 && data < (10))
177 {
178 buffer[data] = 1;
179 /* Print the array values */
180 for(i = 0; i < 10; i++)
181 {
182 printIntLine(buffer[i]);
183 }
184 }
185 else
186 {
187 printLine("ERROR: Array index is out-of-bounds");
188 }
189 delete[] buffer;
190 }
191 }
192}
193
194/* goodG2B1() - use goodsource and badsink by changing the first STATIC_CONST_FIVE==5 to STATIC_CONST_FIVE!=5 */
195static void goodG2B1()
196{
197 int data;
198 /* Initialize data */
199 data = -1;
200 if(STATIC_CONST_FIVE!=5)
201 {
202 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
203 printLine("Benign, fixed string");
204 }
205 else
206 {
207 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
208 * access an index of the array in the sink that is out-of-bounds */
209 data = 7;
210 }
211 if(STATIC_CONST_FIVE==5)
212 {
213 {
214 int i;
215 int * buffer = new int[10];
216 /* initialize buffer */
217 for (i = 0; i < 10; i++)
218 {
219 buffer[i] = 0;
220 }
221 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
222 * This code does check to see if the array index is negative */
223 if (data >= 0)
224 {
225 buffer[data] = 1;
226 /* Print the array values */
227 for(i = 0; i < 10; i++)
228 {
229 printIntLine(buffer[i]);
230 }
231 }
232 else
233 {
234 printLine("ERROR: Array index is negative.");
235 }
236 delete[] buffer;
237 }
238 }
239}
240
241/* goodG2B2() - use goodsource and badsink by reversing the blocks in the first if */
242static void goodG2B2()
243{
244 int data;
245 /* Initialize data */
246 data = -1;
247 if(STATIC_CONST_FIVE==5)
248 {
249 /* FIX: Use a value greater than 0, but less than 10 to avoid attempting to
250 * access an index of the array in the sink that is out-of-bounds */
251 data = 7;
252 }
253 if(STATIC_CONST_FIVE==5)
254 {
255 {
256 int i;
257 int * buffer = new int[10];
258 /* initialize buffer */
259 for (i = 0; i < 10; i++)
260 {
261 buffer[i] = 0;
262 }
263 /* POTENTIAL FLAW: Attempt to write to an index of the array that is above the upper bound
264 * This code does check to see if the array index is negative */
265 if (data >= 0)
266 {
267 buffer[data] = 1;
268 /* Print the array values */
269 for(i = 0; i < 10; i++)
270 {
271 printIntLine(buffer[i]);
272 }
273 }
274 else
275 {
276 printLine("ERROR: Array index is negative.");
277 }
278 delete[] buffer;
279 }
280 }
281}
282
283void good()
284{
285 goodB2G1();
286 goodB2G2();
287 goodG2B1();
288 goodG2B2();
289}
290
291#endif /* OMITGOOD */
292
293} /* close namespace */
294
295/* Below is the main(). It is only used when building this testcase on
296 its own for testing or for building a binary to use in testing binary
297 analysis tools. It is not used when compiling all the testcases as one
298 application, which is how source code analysis tools are tested. */
299
300#ifdef INCLUDEMAIN
301
302using namespace CWE122_Heap_Based_Buffer_Overflow__cpp_CWE129_fgets_06; /* so that we can use good and bad easily */
303
304int main(int argc, char * argv[])
305{
306 /* seed randomness */
307 srand( (unsigned)time(NULL) );
308#ifndef OMITGOOD
309 printLine("Calling good()...");
310 good();
311 printLine("Finished good()");
312#endif /* OMITGOOD */
313#ifndef OMITBAD
314 printLine("Calling bad()...");
315 bad();
316 printLine("Finished bad()");
317#endif /* OMITBAD */
318 return 0;
319}
320
321#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 2110: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_16.c

Nodes: 17 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_16.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.label.xml
4Template File: sources-sink-16.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sink: memmove
12 * BadSink : Copy twoIntsStruct array to data using memmove
13 * Flow Variant: 16 Control flow: while(1)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_16_bad()
22{
23 twoIntsStruct * data;
24 data = NULL;
25 while(1)
26 {
27 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
28 data = (twoIntsStruct *)malloc(50*sizeof(twoIntsStruct));
29 if (data == NULL) {exit(-1);}
30 break;
31 }
32 {
33 twoIntsStruct source[100];
34 {
35 size_t i;
36 /* Initialize array */
37 for (i = 0; i < 100; i++)
38 {
39 source[i].intOne = 0;
40 source[i].intTwo = 0;
41 }
42 }
43 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
44 memmove(data, source, 100*sizeof(twoIntsStruct));❗VULN
45 printStructLine(&data[0]);
46 free(data);
47 }
48}
49
50#endif /* OMITBAD */
51
52#ifndef OMITGOOD
53
54/* goodG2B() - use goodsource and badsink by changing the conditions on the while statements */
55static void goodG2B()
56{
57 twoIntsStruct * data;
58 data = NULL;
59 while(1)
60 {
61 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
62 data = (twoIntsStruct *)malloc(100*sizeof(twoIntsStruct));
63 if (data == NULL) {exit(-1);}
64 break;
65 }
66 {
67 twoIntsStruct source[100];
68 {
69 size_t i;
70 /* Initialize array */
71 for (i = 0; i < 100; i++)
72 {
73 source[i].intOne = 0;
74 source[i].intTwo = 0;
75 }
76 }
77 /* POTENTIAL FLAW: Possible buffer overflow if data < 100 */
78 memmove(data, source, 100*sizeof(twoIntsStruct));
79 printStructLine(&data[0]);
80 free(data);
81 }
82}
83
84void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_16_good()
85{
86 goodG2B();
87}
88
89#endif /* OMITGOOD */
90
91/* Below is the main(). It is only used when building this testcase on
92 * its own for testing or for building a binary to use in testing binary
93 * analysis tools. It is not used when compiling all the testcases as one
94 * application, which is how source code analysis tools are tested.
95 */
96
97#ifdef INCLUDEMAIN
98
99int main(int argc, char * argv[])
100{
101 /* seed randomness */
102 srand( (unsigned)time(NULL) );
103#ifndef OMITGOOD
104 printLine("Calling good()...");
105 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_16_good();
106 printLine("Finished good()");
107#endif /* OMITGOOD */
108#ifndef OMITBAD
109 printLine("Calling bad()...");
110 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_struct_memmove_16_bad();
111 printLine("Finished bad()");
112#endif /* OMITBAD */
113 return 0;
114}
115
116#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 3112: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_memcpy_05.c

Nodes: 14 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_memcpy_05.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__c_CWE805.string.label.xml
4Template File: sources-sink-05.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate using malloc() and set data pointer to a small buffer
10 * GoodSource: Allocate using malloc() and set data pointer to a large buffer
11 * Sink: memcpy
12 * BadSink : Copy string to data using memcpy
13 * Flow Variant: 05 Control flow: if(staticTrue) and if(staticFalse)
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21/* The two variables below are not defined as "const", but are never
22 * assigned any other value, so a tool should be able to identify that
23 * reads of these will always return their initialized values.
24 */
25static int staticTrue = 1; /* true */
26static int staticFalse = 0; /* false */
27
28#ifndef OMITBAD
29
30void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_memcpy_05_bad()
31{
32 wchar_t * data;
33 data = NULL;
34 if(staticTrue)
35 {
36 /* FLAW: Allocate and point data to a small buffer that is smaller than the large buffer used in the sinks */
37 data = (wchar_t *)malloc(50*sizeof(wchar_t));
38 if (data == NULL) {exit(-1);}
39 data[0] = L'\0'; /* null terminate */
40 }
41 {
42 wchar_t source[100];
43 wmemset(source, L'C', 100-1); /* fill with L'C's */
44 source[100-1] = L'\0'; /* null terminate */
45 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
46 memcpy(data, source, 100*sizeof(wchar_t));❗VULN
47 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
48 printWLine(data);
49 free(data);
50 }
51}
52
53#endif /* OMITBAD */
54
55#ifndef OMITGOOD
56
57/* goodG2B1() - use goodsource and badsink by changing the staticTrue to staticFalse */
58static void goodG2B1()
59{
60 wchar_t * data;
61 data = NULL;
62 if(staticFalse)
63 {
64 /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
65 printLine("Benign, fixed string");
66 }
67 else
68 {
69 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
70 data = (wchar_t *)malloc(100*sizeof(wchar_t));
71 if (data == NULL) {exit(-1);}
72 data[0] = L'\0'; /* null terminate */
73 }
74 {
75 wchar_t source[100];
76 wmemset(source, L'C', 100-1); /* fill with L'C's */
77 source[100-1] = L'\0'; /* null terminate */
78 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
79 memcpy(data, source, 100*sizeof(wchar_t));
80 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
81 printWLine(data);
82 free(data);
83 }
84}
85
86/* goodG2B2() - use goodsource and badsink by reversing the blocks in the if statement */
87static void goodG2B2()
88{
89 wchar_t * data;
90 data = NULL;
91 if(staticTrue)
92 {
93 /* FIX: Allocate and point data to a large buffer that is at least as large as the large buffer used in the sink */
94 data = (wchar_t *)malloc(100*sizeof(wchar_t));
95 if (data == NULL) {exit(-1);}
96 data[0] = L'\0'; /* null terminate */
97 }
98 {
99 wchar_t source[100];
100 wmemset(source, L'C', 100-1); /* fill with L'C's */
101 source[100-1] = L'\0'; /* null terminate */
102 /* POTENTIAL FLAW: Possible buffer overflow if source is larger than data */
103 memcpy(data, source, 100*sizeof(wchar_t));
104 data[100-1] = L'\0'; /* Ensure the destination buffer is null terminated */
105 printWLine(data);
106 free(data);
107 }
108}
109
110void CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_memcpy_05_good()
111{
112 goodG2B1();
113 goodG2B2();
114}
115
116#endif /* OMITGOOD */
117
118/* Below is the main(). It is only used when building this testcase on
119 * its own for testing or for building a binary to use in testing binary
120 * analysis tools. It is not used when compiling all the testcases as one
121 * application, which is how source code analysis tools are tested.
122 */
123
124#ifdef INCLUDEMAIN
125
126int main(int argc, char * argv[])
127{
128 /* seed randomness */
129 srand( (unsigned)time(NULL) );
130#ifndef OMITGOOD
131 printLine("Calling good()...");
132 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_memcpy_05_good();
133 printLine("Finished good()");
134#endif /* OMITGOOD */
135#ifndef OMITBAD
136 printLine("Calling bad()...");
137 CWE122_Heap_Based_Buffer_Overflow__c_CWE805_wchar_t_memcpy_05_bad();
138 printLine("Finished bad()");
139#endif /* OMITBAD */
140 return 0;
141}
142
143#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 4444: CWE122_Heap_Based_Buffer_Overflow__CWE131_memcpy_18.c

Nodes: 11 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE122_Heap_Based_Buffer_Overflow__CWE131_memcpy_18.c
3Label Definition File: CWE122_Heap_Based_Buffer_Overflow__CWE131.label.xml
4Template File: sources-sink-18.tmpl.c
5*/
6/*
7 * @description
8 * CWE: 122 Heap Based Buffer Overflow
9 * BadSource: Allocate memory without using sizeof(int)
10 * GoodSource: Allocate memory using sizeof(int)
11 * Sink: memcpy
12 * BadSink : Copy array to data using memcpy()
13 * Flow Variant: 18 Control flow: goto statements
14 *
15 * */
16
17#include "std_testcase.h"
18
19#ifndef OMITBAD
20
21void CWE122_Heap_Based_Buffer_Overflow__CWE131_memcpy_18_bad()
22{
23 int * data;
24 data = NULL;
25 goto source;
26source:
27 /* FLAW: Allocate memory without using sizeof(int) */
28 data = (int *)malloc(10);
29 if (data == NULL) {exit(-1);}
30 {
31 int source[10] = {0};
32 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
33 memcpy(data, source, 10*sizeof(int));❗VULN
34 printIntLine(data[0]);
35 free(data);
36 }
37}
38
39#endif /* OMITBAD */
40
41#ifndef OMITGOOD
42
43/* goodG2B() - use goodsource and badsink by reversing the blocks on the goto statement */
44static void goodG2B()
45{
46 int * data;
47 data = NULL;
48 goto source;
49source:
50 /* FIX: Allocate memory using sizeof(int) */
51 data = (int *)malloc(10*sizeof(int));
52 if (data == NULL) {exit(-1);}
53 {
54 int source[10] = {0};
55 /* POTENTIAL FLAW: Possible buffer overflow if data was not allocated correctly in the source */
56 memcpy(data, source, 10*sizeof(int));
57 printIntLine(data[0]);
58 free(data);
59 }
60}
61
62void CWE122_Heap_Based_Buffer_Overflow__CWE131_memcpy_18_good()
63{
64 goodG2B();
65}
66
67#endif /* OMITGOOD */
68
69/* Below is the main(). It is only used when building this testcase on
70 * its own for testing or for building a binary to use in testing binary
71 * analysis tools. It is not used when compiling all the testcases as one
72 * application, which is how source code analysis tools are tested.
73 */
74
75#ifdef INCLUDEMAIN
76
77int main(int argc, char * argv[])
78{
79 /* seed randomness */
80 srand( (unsigned)time(NULL) );
81#ifndef OMITGOOD
82 printLine("Calling good()...");
83 CWE122_Heap_Based_Buffer_Overflow__CWE131_memcpy_18_good();
84 printLine("Finished good()");
85#endif /* OMITGOOD */
86#ifndef OMITBAD
87 printLine("Calling bad()...");
88 CWE122_Heap_Based_Buffer_Overflow__CWE131_memcpy_18_bad();
89 printLine("Finished bad()");
90#endif /* OMITBAD */
91 return 0;
92}
93
94#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Sample 9087: CWE124_Buffer_Underwrite__new_wchar_t_cpy_12.cpp

Nodes: 16 | Sink Nodes: 1 predicted, 1 actual

Source Code Analysis

Lines are highlighted based on model predictions. Hover over highlighted lines for details.

1/* TEMPLATE GENERATED TESTCASE FILE
2Filename: CWE124_Buffer_Underwrite__new_wchar_t_cpy_12.cpp
3Label Definition File: CWE124_Buffer_Underwrite__new.label.xml
4Template File: sources-sink-12.tmpl.cpp
5*/
6/*
7 * @description
8 * CWE: 124 Buffer Underwrite
9 * BadSource: Set data pointer to before the allocated memory buffer
10 * GoodSource: Set data pointer to the allocated memory buffer
11 * Sink: cpy
12 * BadSink : Copy string to data using wcscpy
13 * Flow Variant: 12 Control flow: if(globalReturnsTrueOrFalse())
14 *
15 * */
16
17#include "std_testcase.h"
18
19#include <wchar.h>
20
21namespace CWE124_Buffer_Underwrite__new_wchar_t_cpy_12
22{
23
24#ifndef OMITBAD
25
26void bad()
27{
28 wchar_t * data;
29 data = NULL;
30 if(globalReturnsTrueOrFalse())
31 {
32 {
33 wchar_t * dataBuffer = new wchar_t[100];
34 wmemset(dataBuffer, L'A', 100-1);
35 dataBuffer[100-1] = L'\0';
36 /* FLAW: Set data pointer to before the allocated memory buffer */
37 data = dataBuffer - 8;
38 }
39 }
40 else
41 {
42 {
43 wchar_t * dataBuffer = new wchar_t[100];
44 wmemset(dataBuffer, L'A', 100-1);
45 dataBuffer[100-1] = L'\0';
46 /* FIX: Set data pointer to the allocated memory buffer */
47 data = dataBuffer;
48 }
49 }
50 {
51 wchar_t source[100];
52 wmemset(source, L'C', 100-1); /* fill with 'C's */
53 source[100-1] = L'\0'; /* null terminate */
54 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
55 wcscpy(data, source);❗VULN
56 printWLine(data);
57 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
58 * returned by new [] so can't safely call delete [] on it */
59 }
60}
61
62#endif /* OMITBAD */
63
64#ifndef OMITGOOD
65
66/* goodG2B() - use goodsource and badsink by changing the "if" so that
67 both branches use the GoodSource */
68static void goodG2B()
69{
70 wchar_t * data;
71 data = NULL;
72 if(globalReturnsTrueOrFalse())
73 {
74 {
75 wchar_t * dataBuffer = new wchar_t[100];
76 wmemset(dataBuffer, L'A', 100-1);
77 dataBuffer[100-1] = L'\0';
78 /* FIX: Set data pointer to the allocated memory buffer */
79 data = dataBuffer;
80 }
81 }
82 else
83 {
84 {
85 wchar_t * dataBuffer = new wchar_t[100];
86 wmemset(dataBuffer, L'A', 100-1);
87 dataBuffer[100-1] = L'\0';
88 /* FIX: Set data pointer to the allocated memory buffer */
89 data = dataBuffer;
90 }
91 }
92 {
93 wchar_t source[100];
94 wmemset(source, L'C', 100-1); /* fill with 'C's */
95 source[100-1] = L'\0'; /* null terminate */
96 /* POTENTIAL FLAW: Possibly copying data to memory before the destination buffer */
97 wcscpy(data, source);
98 printWLine(data);
99 /* INCIDENTAL CWE-401: Memory Leak - data may not point to location
100 * returned by new [] so can't safely call delete [] on it */
101 }
102}
103
104void good()
105{
106 goodG2B();
107}
108
109#endif /* OMITGOOD */
110
111} /* close namespace */
112
113/* Below is the main(). It is only used when building this testcase on
114 its own for testing or for building a binary to use in testing binary
115 analysis tools. It is not used when compiling all the testcases as one
116 application, which is how source code analysis tools are tested. */
117
118#ifdef INCLUDEMAIN
119
120using namespace CWE124_Buffer_Underwrite__new_wchar_t_cpy_12; /* so that we can use good and bad easily */
121
122int main(int argc, char * argv[])
123{
124 /* seed randomness */
125 srand( (unsigned)time(NULL) );
126#ifndef OMITGOOD
127 printLine("Calling good()...");
128 good();
129 printLine("Finished good()");
130#endif /* OMITGOOD */
131#ifndef OMITBAD
132 printLine("Calling bad()...");
133 bad();
134 printLine("Finished bad()");
135#endif /* OMITBAD */
136 return 0;
137}
138
139#endif

Detailed Control Flow Graph

Interactive graph showing the relationships between code elements. Hover over nodes for prediction details.

Numbered Control Flow Graph

Simplified view showing just node numbers. Hover for details.

Legend

Node Types

Sink Node (Vulnerability)
Non-Sink Node

Edge Types

CFG Edge (Control Flow)
DDG Edge (Data Dependency)
CDG Edge (Control Dependency)

Performance Metrics

Accuracy

0.9957

F1-Macro

0.9849

Precision

0.9733

Recall

0.9972